
Show HN: Login with Matrix - redsolver
https://loginwithmatrix.tiktalk.space/
======
mike-cardwell
Not sure about this claim:

"More secure than E-Mail or SMS, because the codes are end-to-end-encrypted
(Not in this demo, but supported by Matrix)"

Assuming encryption is turned on for a room, it's opportunistic unless both
sides have verified each other out of band.

Maybe as a second factor, or as a user identifier (instead of email), it would
be useful. But I wouldn't use it as the sole token for logging in.

~~~
redsolver
With almost every online service, you can easily reset your password through
E-Mail. So if someone gains access to your E-Mail account, the person can take
over your other accounts. If you use your Matrix ID (without a password like
in the demo) instead of E-Mail, it's the same count of factors (because you
can't even guess the password if using "Login with Matrix" because there is
none) and the only difference remains in the communication protocol (E-Mail
and Matrix). And because Matrix uses E2E, it's _more secure_ than a plain
E-Mail, even if not verified. Also, afaik Matrix requires you to verify a new
session (with a logged-in device or recovery key) to gain access to encrypted
messages, which makes it a lot harder to fully take over your Matrix account
with E2E messages than your E-Mail account, even if someone guessed your
password for either one. It's of course a good idea to add additional factors
(Hardware Keys, OTP App) to the whole process for improved security, but this
is true for both E-Mail and Matrix and that's why I think that "Login with
Matrix" is more secure than an E-Mail/Password Login.

