IdeaWell

Project ideas from Hacker News discussions.

Verifying your Matrix devices is becoming mandatory

Original Article

Hacker News Discussion

📝 Discussion Summary (Click to expand)

The three most prevalent themes in the discussion surrounding the Matrix/Element "verification" process are:

  1. Confusion Over the Meaning of "Verification": Many users expressed confusion about what verification actually entails, often mistaking it for real-identity checks, while others clarified it is purely for device authentication related to cryptographic key exchange in an E2EE context.

    • "I never have to reveal my ID, name, phone number, or email address to anyone. Not to Element, the Matrix Foundation, or the person running my home server where all my [encrypted] messages live," stated user xethos.
    • "Yeah, IMO 'verify' was a poor choice of wording for what this is. It has nothing to do with remote attestation or any other form of Treacherous Computing, and it has nothing to do with your real-life identity," echoed josephcsible.

  2. Poor and Inconsistent User Experience (UX) of Verification: A significant portion of the conversation focused on the difficulty, unreliability, and frustration associated with the actual process of cross-device verification, leading some users to abandon the platform.

    • "I have had all variations of clients ignoring requests, reporting requests only for the requesting client to ignore the response... It marked the end of me using Matrix as a platform," lamented Lerc.
    • User Groxx noted, "I've had _constant_ problems with the verification ever since it was introduced. As far as I can tell it hasn't improved at all."

  3. Comparison to Centralized Alternatives (Signal/XMPP) and Metadata Leakage: Users frequently contrasted Matrix's approach to security and usability against centralized options like Signal, often criticizing Matrix for leaking significant metadata despite its end-to-end encryption for messages.

    • "Matrix wants to be an encrypted IRC or Slack. Signal wants to be a secure messenger you can entrust your life to," distinguished tptacek.
    • Regarding metadata, iqihs commented, "encryption of message contents is enabled by default in conversations and available in groups, but that's about it - nothing else is, or can be, encrypted. In other words, every participating server knows who is talking to who, and how much, and when, and in what rooms..."

🚀 Project Ideas

Matrix Device Verification UX Simplifier (DVUX)

Summary

  • A web-based tool that automates or simplifies the convoluted cross-client device verification process described in the discussion (emoji matching, QR scanning, recovery key entry).
  • Core value proposition: Dramatically reduce the friction and confusion around verifying new Matrix devices, tackling the reported "nightmare" UX that causes user churn.

Details

Key Value
Target Audience Matrix/Element users attempting to set up a new device or verify a contact's device who struggle with the current client-to-client interactive flow.
Core Feature A central web portal where a user can initiate device verification, allowing them to input data (like scanning a QR code or entering the emoji string) from a problematic client, or to input a recovery key/passphrase securely once.
Tech Stack Lightweight frontend (React/Vue), simple backend for secure session handling and API interaction (Node.js/Go), communicating with the Matrix client API (e.g., via POST /_matrix/client/v3/devices/{deviceId}/verify/requestToken).
Difficulty Medium
Monetization Hobby

Notes

  • Why HN commenters would love it: Addresses direct complaints about usability: "The experiences reported here seem to say otherwise...", "If by bit different you mean absolute nightmare then yes". It centralizes the confusing interactive verification ("asking for the other end to input a code while the other end shows no interface for doing so").
  • Potential for discussion or practical utility: Could inspire discussion on standardizing the verification initiation point outside of relying on two momentarily synchronized clients. If successful, it could become an essential "helper tool" cited by annoyed users.

E2EE Key Chain Management Dashboard (KCM-D)

Summary

  • A persistent, local-first dashboard for viewing, managing, and securely re-enabling access for all encrypted devices associated with a Matrix account.
  • Core value proposition: Provides clear state management for encryption keys and recovery methods, separating the concept of "access key" from "identity verification," solving issues where users feel "unverified" despite having keys.

Details

Key Value
Target Audience Experienced/Technical Matrix users (admins, long-term users) who frequently deal with device key rotation, backup key management, and mysterious "unverified" states ("Even if you only use a single client it can be verified or not. That's confusing even for very technical people").
Core Feature Inventory of all known devices (active/inactive), clear status on whether their E2EE key share is complete, input fields dedicated only for the Recovery Key or Recovery Passphrase (solving the UI confusion mentioned: "enter the recovery key where they wanted the passphrase or the opposite").
Tech Stack Desktop application (Electron/Tauri) or robust Progressive Web App (PWA) for local storage security, interacting with the Matrix Client-Server API to list devices and potentially initiate key backup restoration flows.
Difficulty Medium/High
Monetization Hobby

Notes

  • Why HN commenters would love it: Directly tackles the frustration of complex recovery and state management: "I was authenticated, but unverified," and provides a single pane of glass for cryptographic assets, something often lacking in client UIs built for general users.
  • Potential for discussion or practical utility: This tool could explore the tension between key backup (passphrase/key file) and interactive verification, offering users a clear choice for setup, rather than bundling them confusingly when setting up a new device.

Metadata Visibility & Filtering Tool (MetaScope)

Summary

  • A service or tool focusing on visualizing and filtering the unencrypted metadata leakage inherent in the Matrix protocol, addressing concerns that metadata leakage makes E2EE feel pointless ("When you leak that much metadata, it's disenginious to call it encrypted").
  • Core value proposition: Offers users the ability to quantify and selectively hide/abstract metadata leakage (who talked to whom, room names) when connecting to large public/federated homeservers, bridging the gap between Matrix's protocol design and Signal's metadata privacy (as pointed out by users).

Details

Key Value
Target Audience Privacy-conscious users, server admins, and those concerned about the "who is talking to who" aspect of Matrix metadata.
Core Feature A bridge/proxy/client that processes metadata streams, allowing users to apply filtering rules (e.g., "Hide room names for any room shared with user X," or "Abstract all server names to a generic placeholder if not connecting to my own server").
Tech Stack Proxy server (e.g., written in Rust for performance) placed between the client and the homeserver, capable of intelligently obscuring or stubbing out metadata fields in Room State events before they reach the client application.
Difficulty High
Monetization Hobby

Notes

  • Why HN commenters would love it: Directly engages with the core architectural critique: Matrix being unencrypted for metadata while attempting to be a secure IM ("metadata is (currently) not nearly as well-guarded on Matrix compared to Signal"). It offers a technical attempt to address this philosophical difference.
  • Potential for discussion or practical utility: This creates a valuable product space between pure plaintext IRC metadata exposure and Signal's centralization. It would spark debate on whether masking metadata is sufficient or if the protocol itself needs foundational changes (which the thread already covers extensively regarding protocol overhauls).