Manual:$wgChangeCredentialsBlacklist

Details
List of AuthenticationRequest class names which are not changeable through Special:ChangeCredentials and the changeauthenticationdata API. This is only enforced on the client level; AuthManager itself (e.g. AuthManager::allowsAuthenticationDataChange calls) is not affected. Class names are checked for exact match (not for subclasses).