I have a private matrix server for a few friends. Whenever someone logs on with a new device or client it lists them as being unverified. Eventually it goes away. I really have no idea at what point verification occurs.
They verify their device. Usually means opening Matrix on a other device, clicking the pop-up, and scanning a QR code or matching emoji. One device signs proof of verification of the other and exchanges encryption keys so the new device can read encrypted conversations.
Unverified devices are indistinguishable from a hacker logging in through credential stuffing/password leaks until verification is done.
It's a process similar to adding devices to Signal or WhatsApp, except with Matrix you can still log in without having physical access to another device. Useful if you only ever visit unencrypted rooms perhaps.
