Account Security
Protect your Matrix account with these security practices.
Strong Authentication
Passwords
If using password authentication:
- Minimum 16 characters
- Use a password manager
- Unique password for Matrix
- Consider passphrase (4+ random words)
Single Sign-On (SSO)
Many homeservers support SSO:
- OAuth/OIDC providers (Google, GitHub)
- SAML for enterprise
- LDAP for organizations
SSO benefits:
- Centralized authentication
- 2FA at provider level
- No Matrix-specific password
Two-Factor Authentication
Enable 2FA when available:
- Check homeserver supports it
- Configure via homeserver admin
- Use authenticator app
Session Management
Review Active Sessions
Regularly check your logged-in devices:
Element: Settings → Security → Sessions
Look for:
- Unknown devices - Potential compromise
- Old sessions - Remove if unused
- Unverified - Verify or remove
Session Security
| Session Type | Security Level |
|---|---|
| Verified, cross-signed | Highest |
| Verified | High |
| Unverified | Medium |
| Unknown | Low - investigate |
Remote Sign-Out
If a device is lost/stolen:
- Go to Security settings
- Find the session
- Click "Sign out" or "Remove"
- Change password if compromised
Key Backup Security
Recovery Key
Your recovery key provides full access. Protect it:
DO:
- Store in password manager
- Keep offline backup
- Use encrypted storage
DON'T:
- Share with anyone
- Store in plain text
- Screenshot and sync to cloud
Recovery Scenarios
| Scenario | Solution |
|---|---|
| New device | Verify from existing device |
| Lost all devices | Use recovery key |
| Lost recovery key | Create new backup |
| Compromised key | Reset and re-verify |
Social Engineering
Common Attacks
| Attack | Example | Defense |
|---|---|---|
| Phishing | Fake login pages | Check URL carefully |
| Impersonation | "Admin" asking for password | Never share passwords |
| Verification scams | "Verify with me" | Verify out-of-band |
Verification Best Practices
Before verifying someone:
- Confirm identity through another channel
- Compare emojis carefully
- Don't rush the process
- When in doubt, don't verify
Account Recovery
If Compromised
- Change password immediately
- Sign out all sessions
- Reset key backup
- Re-verify all devices
- Check room memberships
- Notify contacts if needed
If Locked Out
- Try recovery key/phrase
- Contact homeserver admin
- May need to create new account
- History in encrypted rooms may be lost
Deactivation
Temporary Leave
To take a break without deleting:
- Log out of all clients
- Leave/mute rooms
- Account remains
Permanent Deactivation
Irreversible account deletion:
- Contact homeserver admin
- Or use admin API (if available)
- All messages remain (by design)
- Display name erased
Before Deactivating
- Export important data
- Leave rooms manually
- Inform contacts
- Remove personal info from profile
Privacy Settings
Profile Visibility
Control what others see:
- Display name - Can be anything or empty
- Avatar - Optional
- Presence - Can disable
Read Receipts
Disable if you don't want others to know you've read messages:
Settings → Preferences → Disable read receipts
Typing Indicators
Can also be disabled for privacy.
Multi-Account Usage
Separate Accounts
Consider separate accounts for:
| Purpose | Why |
|---|---|
| Work | Compliance, separation |
| Personal | Privacy |
| Testing | Experimentation |
| Anonymous | Sensitive topics |
Account Switching
Most clients support multiple accounts:
- Element: Profile menu → Add account
- FluffyChat: Built-in multi-account
Audit Checklist
Monthly security review:
- Review active sessions
- Remove unused sessions
- Check verified devices
- Verify key backup works
- Review room memberships
- Update password if needed
- Check for client updates
See also: Security Overview