Matrix.org Will Migrate to MAS

Original Article ↗ Hacker News Discussion ↗

MAS, OIDC, and Login UX

  • MAS moves Matrix auth to OAuth2/OIDC flows: users authenticate via a browser against their homeserver (or external IdP) instead of typing passwords into each client.
  • This enables passkeys, WebAuthn, 2FA/MFA, QR-based login, and centralized auth policies without every client having to implement these separately.
  • MAS is backward-compatible with current Matrix auth APIs, so existing clients continue to work; OIDC-native clients (e.g., newer Element apps) can expose richer flows like QR login and easier device onboarding.

Impact on Clients and Self‑Hosted Servers

  • MAS is open source (AGPLv3) and self‑hostable, with Helm charts and docker-compose examples.
  • Some commenters worry MAS adds complexity and external dependencies for small/self‑hosted homeservers; others note legacy “username/password” flows will likely need to remain for a long time.
  • There’s interest in homeservers acting as general-purpose IdPs; MAS can act as an OIDC provider but is intentionally lightweight, with suggestions to use a full IdP (e.g., Keycloak/Ory) if needed.

Privacy, E2EE, and Comparisons to Other Messengers

  • Many comments contrast Matrix/Element with WhatsApp, Telegram, Signal, Google Chat, etc.
  • Strong criticism of Telegram: non‑E2EE by default, groups not E2EE, desktop clients lacking E2EE for 1:1, and a long history of controversial crypto design. Defenders point out MTProto 2 uses standard primitives and that secret chats exist, but critics argue defaults and usability make those largely irrelevant in practice.
  • Meta/WhatsApp: even with E2EE, metadata collection and closed-source endpoints are seen as major risks.
  • Signal is praised for default E2EE everywhere but critiqued for UX gaps (no multiple phones, no web client, slower feature/UI polish vs Telegram).

Bridges and Interoperability

  • Experiences with Matrix bridges are mixed: some report a “one app for everything” success, others report instability, message loss, and UX mismatches (missing reactions, polls, captions).
  • Newer bridges like slidge for XMPP/WhatsApp get tentative praise but are noted as young.

Element, Licensing, and Funding

  • Explanation of the split between the Matrix Foundation (governance/spec) and Element (main vendor).
  • Element switched major projects from permissive to AGPL to sustain development after many commercial users failed to contribute back.
  • This triggers a broader debate: permissive licenses as “donations to industry” vs copyleft/AGPL as better aligned with sustaining public goods.

Browser Privacy vs Web Authentication

  • Strong tension between strict tracking protection/private browsing and OIDC-style cross-domain auth: strict cookie policies can break Matrix/Element logins, including to Mozilla’s instance.
  • Some argue web standards and auth flows should adapt to privacy; others say cross-domain auth is a legitimate need and that current “app enters your password” flows are worse.
  • MAS doesn’t inherently solve this tension; success will depend on how browsers handle cookies and redirects.

Positioning vs Other Platforms

  • Some see Discord’s “enshittification” as an opportunity for Matrix, but warn Matrix UX must be highly polished for mainstream adoption.
  • Element X is mentioned as chasing Telegram-level UX, with recent work (local encrypted event cache) aimed at smooth, fast clients, though feature parity with old Element/web is still incomplete.