Make passwords disappear with a touch of Magic
Start new thread
Chris Messina

Magic - Make passwords disappear with a touch of Magic

by
Raycast
Passwords are the bane of app security. With a few lines of code and no bloat, Magic lets you build apps with blazing-fast, customizable, passwordless login - with future-proof crypto and identity tech under the hood.

Add a comment

Replies

Best
Seena Rowhani
Very exciting project, nice work to all those involved!
Sean Li
Maker
@srowhani Thanks so much! Would love to hear any questions or feedback after you giving Magic a spin!
FE4RBANDSZ
Nice work
Sean Li
Maker
@fe4rbandsz Thanks so much! Would love to help answer any questions and hear ways we can improve Magic!
Jal Jalali Ekram
Awesome!! Promising product!!!
Jake Jin
Passwordless login sounds amazing, great work! :D
Sean Li
Maker
@j13est Thanks Jake!! Let us know if there's are improvements we can make on the UX!
Thê-Minh ¯\_(ツ)_/¯
Looks promising! How will you differentiate from Auth0? Also what's your business model?
Sean Li
Maker
@the_minh Thanks! The main difference is that Auth0 is a centralized identity provider, similar to Facebook or Google. But Magic uses decentralized identity (https://w3c-ccg.github.io/did-pr...) using blockchain-based keypairs, meaning that user identity is self-sovereign and portable (no lock-in, more ownership). We also have a whitepaper about our architecture as well: http://go.magic.link/whitepaper/ Our business model is a SaaS subscription model based on the # of keys/users being managed by an application. Pricing page will be coming live soon!
Jiří Diblík
Great Job :)
Sean Li
Maker
@jiri_diblik Thanks!! 😄
Sergey Lukin
This is so relevant. Great job! Love it. One question: how much does/will it cost? Couldn't find it on website.
Sean Li
Maker
@sergey_lukin Thanks so much Sergey! Pricing page is coming very soon! We'll be charging a base fee a fixed charge per active user per month. We'll be carrying over the pricing from our existing key management product (https://fortmatic.com/pricing) and make slight adjustments. Love to hear your feedback on the price range as we are trying to make this an optimal choice for startups and growing companies too!
John Philip Morgan
@_seanli I was very impressed when I signed up on my laptop and when I clicked the email link on my phone I was instantly signed into the dashboard on my laptop.... BUT then I opened a new window and signed up with my coworkers email who is currently across town and he clicked the email and I was instantly signed in to HIS account. This seems very insecure. This is why providers like Auth0 require magic links to be opened in the same browser session to be valid. Maybe I missing something here? Besides this seemingly big security flaw I am very impressed with the simplicity and execution. Love the brand and great documentation. Way to go 🙌
Sean Li
Maker
@jpamorgan Thanks so much for the help testing and the feedback John! We're aware of the potential phishing risks like you described, and will be releasing the feature to detect where and how the user has opened the magic link in order to prevent users from accidentally clicking on a malicious login attempt! There's only so much that can be done in terms of email security. In the future, through progressive disclosure, we'll be gradually introducing users to more sophisticated form-factors of login we are working on like WebAuthn / mobile authenticator apps.
Lyondhür Picciarelli
Apologies, but I am not a big fan. Loved the time and effort put on the sec paper, however, how can gaining access evolve from passwords to magic links, but still rely on the oldest and most corruptible of tools.. emails? Maybe I'm missing something here, but wouldn't this mean that anybody who gained access to someone's main email account could basically bypass password gateways? Passwords are not great, but at least they can be complex and individual enough (one to each service). It is definitely not an elegant solution, but when that is paired with authentication codes and 2-factor authentication, the user has at least enough time to intervene in the event of a breach. One email link greatly reduces that variability to essentially one source of access. Being in control of one's 'magical' account, a malicious user could then reset 2-factor authentication features, reattribute accounts and basically wreak a whole load of havoc. I would be all over this if the other side of the handshake was NOT an email. Maybe a ping on Signal, Wire, Keybase or any other reasonably safe messenger? Why the hell emails? :D Perhaps an ultra-personal device with AT REST or BC encryption - preferably heavy on biometrics - such a smartwatch or a ring or else.
Sean Li
Maker
@lyondhur No need to apologize and thank you for your transparency! We started with email links because that's the easiest way for mainstream users to get started. Magic practices progressive disclosure religiously and the goal is to eventually graduate users into more sophisticated forms of login such as webauthn and mobile authenticator apps. Under the hood, Magic uses decentralized identity (DID), developers only need to deal with DID tokens (signed by user private keys) to grant user access to their backend resource server, and the front-end key management form-factor can be very flexible (magic links, mobile authenticator, webauthn etc.) without having to change the backend code! This is a bit like the Docker for auth 😆
Domel N
Jest super
First
Previous
•••
345
•••
Next
Last