Magic - Make passwords disappear with a touch of Magic

Passwords are the bane of app security. With a few lines of code and no bloat, Magic lets you build apps with blazing-fast, customizable, passwordless login - with future-proof crypto and identity tech under the hood.

Add a comment

Replies

Best
I can't wait until everything moves away from passwords! Even password managers are a hassle to use...Congrats team on the launch!
Thanks so much Chris! With all the recent advancements in cloud infrastructure, identity, and crypto, the pieces are starting the connect, the antiquated auth and identity space is going to get super interesting very soon!
This is the authentication I've been waiting for! Seamlessly integrating web3 into web2 apps is now super easy!
Thank you so much Eric!! Simplicity will be our focus - we'll carefully and gradually introduce more amazing web 3 features to web 2 in a super accessible way!
Super exciting product!
Hey Sean, very cool product. Quick question - if we already have password based log in, how does Magic integrate with that? Or does it only work if you're launching a new project going forward and you choose to eschew passwords completely from the beginning?
That's a very good question Duncan! We designed Magic to be able to integrate seamlessly with existing applications too and not just for new projects. You should be able to plug Magic into your existing session management (if there's any) and get rid of passwords by only requiring user magic links. You can take a look at the following tutorials for how that can be done: Express + PassportJS: Firebase Auth:
can it work along side passwords? for example, could we present users with the ability to log in with a password, and then also use magic if they would like to do so?
I think the technical answer to that is yes, but passwords come with very serious security, privacy, and financial risk hazards for your users due to the risk of password database theft. I've covered this topic in depth in many other places so I won't go too deep here, but the short version is there is no really safe way to store passwords, even hashed, salted, peppered passwords, and most users reuse the same passwords on multiple sites. That means providing a password option on your site could be endangering your user's bank account, or medical records, or identity, and that could open you up to liability you don't want. Passwords are obsolete.
I must say Magic passwordless login is really cool. One question I have is: why does it direct me back to the original page when I click the magic link?
Thanks so much! It's awesome that you noticed it and asked, we log users into the "original context" after the magic link is clicked, and we do this for several reasons: * Taking modern user behaviors into account with users going between laptop and phone. Users are gravitating more towards their phone. Generally with web applications like Medium, users are logged into the tab where the magic link is clicked, but this may be a problem when users clicked on the link on their phone and is logged with the phone rather than the laptop, making editing very inconvenient. With Magic's model we can get through complications with Incognito mode too. (Though we will be exploring deep linking with our mobile SDKs) * If the magic link URL get hijacked somehow, the hackers will only be able to login users into their original tab, which can mitigate damages. * Training user behavior to gradually shift to user an authenticator app like DUO on their phone by subtly encouraging users to use both laptop and phone to authenticate
I see. I was able to figure out that I had to go back to the original tab. For non tech-savvy users that may not be able to figure this out, how are you planning on improving your UX to make sure they know / learn that they need to use their original tab? I remember the error showed "magic link expired", not "You closed your original tab, try again" P.S. I really like how you guys are tackling passwordless login from UX and security point of view.
I'd be really interested to see how this turns out. At did.app we used to direct users back to the original tab, we even tried using alerts to pull the focus. In the end though we moved away from it because non-technical users kept getting frustrated. Like I said tho interesting to see if they can polish the UX
Thanks All good. I was not so much concerned about recover as I when need to use an app on a device but do not have access to email there and then.
Really appreciate these questions, it's what helps us move forward! Arthur added more to the token in localstorage question too. Regarding logging in with Yubi or our own mobile authenticator app, once that's paired with an user account, no more email link will be required, login can be achieved by tapping Yubi key or a mobile notification (similar to DUO). For users going to be using our own mobile authenticator app, there will be a special recovery process involved (inspired by crypto wallets) for users who have locked themselves out by losing their device etc.
I also sent you a tweet :) Am looking forward to some coding time to check magic out!
I guess I'm stuck when I leave my phone in the car and my partner drives off in it :) Mind you without my phone lots of pain ensues anyway.
Congrats on the launch. What is the pricing ? Couldn’t find that information anywhere.
Sorry for not being able to include that before launch! It'll be available very soon! There will be a free tier, and we'll be carrying over the pricing from our existing key management product (fortmatic.com/pricing) and make slight adjustments. Love to hear your feedback on the price range as we are trying to make this an optimal choice for startups and growing companies too!
Great work! We've integrated Magic into TokenSets already, and it makes getting started w/ new users a breeze.
Thanks Felice! Super excited for what's next to come and bringing decentralized finance to the mainstream 🔥🔥🔥
Do you have a link to TokenSets, I'm really curious to see how more people are using magic links in their sites
I first saw the magic link on Slack and really nowhere else. This seems pretty intuitive. Great job!
Thanks so much!! Magic links are definitely starting to pick up in popularity, we've gotten quite some inspiration from the results from companies using magic links like Slack, Medium, and Substack!
This is a good idea, but i have a question, for the mail recipient, there are often all kinks of problems, such as mail delay, mail is thrown into trash box, mail is rejected and other risks, how to ensure that users can access the system?
Email links are just the easy starting point for many users. We will be graduating more users to more sophisticated login methods such as webauthn and mobile authenticator apps. The benefit with our DID architecture is that developers can easily add other form-factors of login without having to change the backend code!
Thank you so much