On-boarding issues for communities wanting to switch from Slack/Discord due to E2EE

[bmisiak]

Hello.
I have been watching Riot closely to migrate my team away from Discord - mostly because of end-to-end encryption. There are still some speed bumps which might not be obvious to the team but will significantly reduce adoption unless addressed. The following is my list of issues which have caused some members of my team to be reluctant to switch.

1. Inviting members to a private community doesn't work

Slack and Discord teams/communities typically have many private rooms to deal with a lot of messages.
On Discord and Slack, we simply invite a person and give them the appropriate community rank to reveal all the relevant rooms. On Riot, linking to the community results in this:

1. The user has no way of discovering the invite-only rooms. It seems like we will need to send invites and manage permissions for every room separately, which is quite unworkable.
2. There seems to be no way to "join" the linked community. The link ends up being pretty useless.

2. Encryption is voodoo to most users

Once we invite a team member to a particular room, they are greeted by this:

There are two issues with this:

1. Given that most users have no idea about encryption, popping up a huge message like this during onboarding seems like a UX mistake. It's scary stuff to them. Keys? what are keys? What recovery? What is end to end encryption?
2. People will forget their recovery passphrase. Two passwords and recovery keys are confusing. They can barely remember a single password.

I have previously proposed following ProtonMail's example by using a single, client-side password along with the Secure Remote Password protocol: #7876. It could make e2ee Riot just as usable as Discord and Slack. In the meantime, I would suggest deferring the prompt for later.

3. Device verification screams at users for doing nothing wrong

If we are striving for ubiquitous end to end encryption, I bet less than 1% of users/communities will actually care about verifying devices of room members. It is time consuming and people have no idea what it accomplishes. Let's make it less in-your-face and stop scaring non-technical users who are trying to use the product to chat with their friends or team mates.

Marking unverified users with a hint icon suggesting verification would be one thing, but I would advise against massive, red warning signs and scary messages unless the user (or room) has explicitly opted in due to their own privacy requirements.

WhatsApp went as far as making even hints opt-in. I think we can safely retain a small hint icon by default without disrupting on-boarding, but the current solution is simply scary to most users, especially after encountering the previous speed bumps related to invites, passwords and encryption.

That being said, the redesign is a massive step in the right direction. Registration is so much better already! I hope this list helps pin down the remaining issues.

[uhoreg]

Thanks for your feedback.

We're going to be re-working communities as they don't work as well as we'd like them to. What you're asking for sounds like #5788.

Regarding key verification, we're still working on improving the e2ee UX, and I'm going to be looking into using TOFU to avoid scaring people.

[SimonBrandner]

Spaces are now in beta