As a Wikimedia user, I want to be able to enable the password reset update (i.e. username and email address required) in Preferences, so that I can mitigate harassment or mistaken identity via Special:PasswordReset.
Note: We don't know yet know if this preference will be opt-in or opt-out as default. For this reason, this work should be developed in such a way that we can later determine this behavior.
- Create a feature flag
- Add a preference that controls whether both username and email address are required for password reset
- Only show this preference if feature flag is enabled