Improve how we handle phone numbers

[nadonomy]

From chatting with @richvdh we should come up with a plan to improve how we handle phone numbers in general. Using this issue as a bit of a braindump to co-ordinate from:

• Auth: We think we should solve phone number auth within the context of OIDC. cc @sandhose @hughns
• Contact discovery: We think we should improve privacy warnings on mobile within the context of ElementX. cc @manuroe @stefanceriu @bmarty
  • Pairing with @richvdh on any backend changes
• Contact discovery: We're unsure of Web/Desktops full capabilities, @t3chguy or @turt2live input would be welcome.

[turt2live]

Web supports management (add/remove) of phone numbers in settings. I believe it can also resolve phone numbers to user IDs in the invite dialog, though would have to check to be sure.

Edit: resolution is during invites

[richvdh]

This stems from the Synapse issue at matrix-org/synapse#5881, which also has a bit more context on the current situation around the use of email addresses and phone numbers in Matrix at matrix-org/synapse#5881 (comment).

[sandhose]

Auth: We think we should solve phone number auth within the context of OIDC.

I definitely want to add mobile verification support, to allow SMS-based 2FA, password-less logins and account recovery down the line (which are things I also want to do for emails). It doesn't mean we'll enable those on Matrix.org, but want that as an option in the authentication server.

Tracked here: matrix-org/matrix-authentication-service#264

---

This however doesn't help with discovery via the identity server. The phone number would only be verified by the authentication service, but not by the identity server.

[t3chguy]

@nadonomy re contact web contact discovery, it is problematic https://developer.mozilla.org/en-US/docs/Web/API/Contact_Picker_API is only supported in the mobile web, not whatsoever on Desktop browsers. Electron does not have any support for this, we could probably add support for Windows & Mac with a significant amount of work for the built-in contact management utilities, for Linux I'm not sure if there is a standard.

Either way a heck of a lot of effort to support contact discovery on Desktop and impossible on the Web as the support stands.

[richvdh]

Trying to pull some numbers on this:

Using a phone number as a login identifier:

• we have 70000 users on matrix.org who have a phone number registered to their homeserver account.
• over the last two weeks, we saw 1792 attempts to log in using the phone number as an identifier. Of those, a grand total of... 107 were successful.

Looking up other users via an identity server

• Unfortunately we don't have good metrics for individual lookups, because sydent doesn't log whether it is looking up an email address or phone number. We could add this fairly easily of course.
• On the matrix.org and vector.im identity servers, we saw a total of 2758 "bulk" lookups over the last week (where "bulk" is defined as "at least 10 contacts"). I assume these are largely phone numbers, because of the way bulk lookups are used?

[richvdh]

Oh and of course, the thorn that's actually boring a hole in my side: how often do we do a phone number verification:

• vector.im and matrix.org's identity servers saw 600 attempts to verify a phone number in the week to 24 June
• Correlating to the logs from the matrix.org homeserver: (a) the majority of them (573) came from there; (b) all of those 573 were adding a phonenumber via the settings UI rather than during registration.

[richvdh]

In an ideal world, I would like homeservers not to have to care about phone numbers at all. Once we have OIDC taking care of authentication, the only reason left for a homeserver to manage phone number is because clients (or at least, the various flavours of Element) currently expect to be able to get a list of email addresses and phonenumbers via GET /_matrix/client/v3/account/3pid before they will allow the user to bind those identifiers on the IS, which is (IMHO) an unnecessary constraint.