Magic - Make passwords disappear with a touch of Magic

@chris_lu Thanks so much Chris! With all the recent advancements in cloud infrastructure, identity, and crypto, the pieces are starting the connect, the antiquated auth and identity space is going to get super interesting very soon!

@coderberry Thank you so much Eric!! Simplicity will be our focus - we'll carefully and gradually introduce more amazing web 3 features to web 2 in a super accessible way!

@sunghong_sch Thanks!

@duncan_cock_foster1 That's a very good question Duncan! We designed Magic to be able to integrate seamlessly with existing applications too and not just for new projects. You should be able to plug Magic into your existing session management (if there's any) and get rid of passwords by only requiring user magic links. You can take a look at the following tutorials for how that can be done: Express + PassportJS: https://docs.magic.link/tutorial... Firebase Auth: https://docs.magic.link/tutorial...

@_seanli can it work along side passwords? for example, could we present users with the ability to log in with a password, and then also use magic if they would like to do so?

@_seanli @duncan_cock_foster1 I think the technical answer to that is yes, but passwords come with very serious security, privacy, and financial risk hazards for your users due to the risk of password database theft. I've covered this topic in depth in many other places so I won't go too deep here, but the short version is there is no really safe way to store passwords, even hashed, salted, peppered passwords, and most users reuse the same passwords on multiple sites. That means providing a password option on your site could be endangering your user's bank account, or medical records, or identity, and that could open you up to liability you don't want. Passwords are obsolete.

@alex_kim4 Thanks so much! It's awesome that you noticed it and asked, we log users into the "original context" after the magic link is clicked, and we do this for several reasons: * Taking modern user behaviors into account with users going between laptop and phone. Users are gravitating more towards their phone. Generally with web applications like Medium, users are logged into the tab where the magic link is clicked, but this may be a problem when users clicked on the link on their phone and is logged with the phone rather than the laptop, making editing very inconvenient. With Magic's model we can get through complications with Incognito mode too. (Though we will be exploring deep linking with our mobile SDKs) * If the magic link URL get hijacked somehow, the hackers will only be able to login users into their original tab, which can mitigate damages. * Training user behavior to gradually shift to user an authenticator app like DUO on their phone by subtly encouraging users to use both laptop and phone to authenticate

@_seanli I see. I was able to figure out that I had to go back to the original tab. For non tech-savvy users that may not be able to figure this out, how are you planning on improving your UX to make sure they know / learn that they need to use their original tab? I remember the error showed "magic link expired", not "You closed your original tab, try again" P.S. I really like how you guys are tackling passwordless login from UX and security point of view.

@alex_kim4 I'd be really interested to see how this turns out. At did.app we used to direct users back to the original tab, we even tried using alerts to pull the focus. In the end though we moved away from it because non-technical users kept getting frustrated. Like I said tho interesting to see if they can polish the UX

@stevealee Really appreciate these questions, it's what helps us move forward! Arthur added more to the token in localstorage question too. Regarding logging in with Yubi or our own mobile authenticator app, once that's paired with an user account, no more email link will be required, login can be achieved by tapping Yubi key or a mobile notification (similar to DUO). For users going to be using our own mobile authenticator app, there will be a special recovery process involved (inspired by crypto wallets) for users who have locked themselves out by losing their device etc.

@_seanli I also sent you a tweet :) Am looking forward to some coding time to check magic out!

@_seanli I guess I'm stuck when I leave my phone in the car and my partner drives off in it :) Mind you without my phone lots of pain ensues anyway.

@vikrampatankar Sorry for not being able to include that before launch! It'll be available very soon! There will be a free tier, and we'll be carrying over the pricing from our existing key management product (fortmatic.com/pricing) and make slight adjustments. Love to hear your feedback on the price range as we are trying to make this an optimal choice for startups and growing companies too!

@felice_feng Thanks Felice! Super excited for what's next to come and bringing decentralized finance to the mainstream 🔥🔥🔥

@felice_feng Do you have a link to TokenSets, I'm really curious to see how more people are using magic links in their sites

@omidborjian Thanks so much!! Magic links are definitely starting to pick up in popularity, we've gotten quite some inspiration from the results from companies using magic links like Slack, Medium, and Substack!

@haolee Email links are just the easy starting point for many users. We will be graduating more users to more sophisticated login methods such as webauthn and mobile authenticator apps. The benefit with our DID architecture is that developers can easily add other form-factors of login without having to change the backend code!

@_seanli Thank you so much