Manual:$wgChangeCredentialsBlacklist

Details
List of AuthenticationRequest class names which are not changeable through Special:ChangeCredentials and the changeauthenticationdata API.

This is only enforced on the client level; AuthManager itself (e.g. AuthManager::allowsAuthenticationDataChange calls) is not affected.

Class names are checked for exact match (not for subclasses).