As discussed in the parent task (T399664), I think the best way to do this would be a UserGetRights hook listener that adds the oathauth-enable right based on the last two digits of the user's central user ID.

Affected users should somehow be awared that they can enable 2FA.

@Bugreporter notifying users that they have access to 2FA is a part of later work once we ensure that increasing access is not too much load on support or anything else.

Change #1174049 had a related patch set uploaded (by Mstyles; author: Mstyles):

[operations/mediawiki-config@master] OATHAuth: Add Config Variable

https://gerrit.wikimedia.org/r/1174049

Change #1174062 had a related patch set uploaded (by Mstyles; author: Mstyles):

[mediawiki/extensions/OATHAuth@master] incremental 2FA rollout

https://gerrit.wikimedia.org/r/1174062

Change #1174062 merged by jenkins-bot:

[mediawiki/extensions/OATHAuth@master] Support incremental 2FA rollout

https://gerrit.wikimedia.org/r/1174062

Change #1174049 merged by jenkins-bot:

[operations/mediawiki-config@master] OATHAuth: Enable 2FA opt-in for 10% of users

https://gerrit.wikimedia.org/r/1174049

Mentioned in SAL (#wikimedia-operations) [2025-09-08T20:19:51Z] <mstyles@deploy1003> Started scap sync-world: Backport for [[gerrit:1174049|OATHAuth: Enable 2FA opt-in for 10% of users (T400579)]]

Mentioned in SAL (#wikimedia-operations) [2025-09-08T20:26:12Z] <mstyles@deploy1003> mstyles: Backport for [[gerrit:1174049|OATHAuth: Enable 2FA opt-in for 10% of users (T400579)]] synced to the testservers (see https://wikitech.wikimedia.org/wiki/Mwdebug). Changes can now be verified there.

Mentioned in SAL (#wikimedia-operations) [2025-09-08T20:33:22Z] <mstyles@deploy1003> Finished scap sync-world: Backport for [[gerrit:1174049|OATHAuth: Enable 2FA opt-in for 10% of users (T400579)]] (duration: 13m 28s)