The extension EmailAuth automatically requires email verification on suspicious logins: after successfully entering your password, you get an email with a short one-time code, and you need to enter the code to finish logging in. This happens when the software thinks the login might come from someone who has stolen your password. There are various factors that go into that decision, for example whether you have recently used the wiki from the same device or IP address you are currently using.

Users who have set up two-factor authentication never get verification emails, as two-factor authentication is considered more secure than email verification.

What should I do if I get a code, even though I wasn't trying to log in?

If you get a code, that means someone entered your username and password. Unlike e.g. password reset emails, there is no way for someone to send you a code without knowing your password. If that someone wasn't you, that means your password was somehow stolen or guessed. You should change it as soon as possible, and consider setting up two-factor authentication if available.

You can make this less likely to happen by following good password practices:

• Pick a password that is hard to guess, preferably a random string of characters or multiple random dictionary words. Using a password manager makes this much easier. These days most browsers come with a decent password manager built in, and can generate and store random passwords for you.
• Do not reuse the same password on multiple sites, even if it's strong. If one website suffers from a data breach, all your other accounts are at risk.
• Do not install software that is pirated or otherwise of uncertain origin. Such software often contains malicious code that logs your keystrokes, or otherwise steals your password.

If you get a verification code unexpectedly, change your password, do not just rely on the email verification process to prevent the attacker from logging in. To minimize disruption for legitimate users, the wiki will only require verification when the login looks suspicious; there is no guarantee it will catch every future attempt of the attacker.

What should I do if I cannot log in because I can't access the verification code?

If you can't log in because you cannot access the email address you have registered with anymore, your best option is to contact the operators of the wiki who might or might not be able to help. In the case of Wikimedia wikis, this is the Trust and Safety team; see instructions on Meta-Wiki. It is generally a good idea to make sure you have a working and confirmed email address set in your user preferences; there are many ways to get locked out otherwise.

If you cannot log in because you are not receiving a verification code, even though you have access to the email address, you should report a bug. For Wikimedia wikis, you can use Phabricator . For non-Wikimedia wikis, you should use whatever system they use, or contact the operators.

I am interested in how this functionality works. Can I try it out?

This is installation-specific, but on Wikimedia wikis, if you want to test the functionality (e.g. because you are translating it), you can set a cookie with the name forceEmailAuth and the value 1 on the domain auth.wikimedia.org; as long as the cookie is present, you will always be required to go through email verification during login.