Show HN: Login with Matrix (opens in new tab)

(loginwithmatrix.tiktalk.space)

7 pointsredsolver5y ago2 comments

2 comments

2 comments · 1 top-level

mike-cardwell5y ago· 1 in thread

Not sure about this claim:

"More secure than E-Mail or SMS, because the codes are end-to-end-encrypted (Not in this demo, but supported by Matrix)"

Assuming encryption is turned on for a room, it's opportunistic unless both sides have verified each other out of band.

Maybe as a second factor, or as a user identifier (instead of email), it would be useful. But I wouldn't use it as the sole token for logging in.

redsolverOP5y ago

With almost every online service, you can easily reset your password through E-Mail. So if someone gains access to your E-Mail account, the person can take over your other accounts. If you use your Matrix ID (without a password like in the demo) instead of E-Mail, it's the same count of factors (because you can't even guess the password if using "Login with Matrix" because there is none) and the only difference remains in the communication protocol (E-Mail and Matrix). And because Matrix uses E2E, it's more secure than a plain E-Mail, even if not verified. Also, afaik Matrix requires you to verify a new session (with a logged-in device or recovery key) to gain access to encrypted messages, which makes it a lot harder to fully take over your Matrix account with E2E messages than your E-Mail account, even if someone guessed your password for either one. It's of course a good idea to add additional factors (Hardware Keys, OTP App) to the whole process for improved security, but this is true for both E-Mail and Matrix and that's why I think that "Login with Matrix" is more secure than an E-Mail/Password Login.

j / k navigate · click thread line to collapse