Passwords are the bane of app security. With a few lines of code and no bloat, Magic lets you build apps with blazing-fast, customizable, passwordless login - with future-proof crypto and identity tech under the hood.
@sergey_lukin Thanks so much Sergey! Pricing page is coming very soon! We'll be charging a base fee a fixed charge per active user per month. We'll be carrying over the pricing from our existing key management product (https://fortmatic.com/pricing) and make slight adjustments. Love to hear your feedback on the price range as we are trying to make this an optimal choice for startups and growing companies too!
Report
Great work! We've integrated Magic into TokenSets already, and it makes getting started w/ new users a breeze.
@_seanli I was very impressed when I signed up on my laptop and when I clicked the email link on my phone I was instantly signed into the dashboard on my laptop....
BUT then I opened a new window and signed up with my coworkers email who is currently across town and he clicked the email and I was instantly signed in to HIS account. This seems very insecure. This is why providers like Auth0 require magic links to be opened in the same browser session to be valid.
Maybe I missing something here?
Besides this seemingly big security flaw I am very impressed with the simplicity and execution. Love the brand and great documentation. Way to go 🙌
@jpamorgan Thanks so much for the help testing and the feedback John! We're aware of the potential phishing risks like you described, and will be releasing the feature to detect where and how the user has opened the magic link in order to prevent users from accidentally clicking on a malicious login attempt!
There's only so much that can be done in terms of email security. In the future, through progressive disclosure, we'll be gradually introducing users to more sophisticated form-factors of login we are working on like WebAuthn / mobile authenticator apps.
Report
This is a good idea, but i have a question, for the mail recipient, there are often all kinks of problems, such as mail delay, mail is thrown into trash box, mail is rejected and other risks, how to ensure that users can access the system?
@haolee Email links are just the easy starting point for many users. We will be graduating more users to more sophisticated login methods such as webauthn and mobile authenticator apps. The benefit with our DID architecture is that developers can easily add other form-factors of login without having to change the backend code!
@vineet_goel1 good question! We start with magic link emails since it's the easiest way to get users started even though it may be susceptible to compromised emails (good thing most email providers have better protection mechanisms now). In the near future we will have other hardware/device login which can be added by users for added security and recoverability! Progressive disclosure is key for Magic, ease users in with magic links, and then graduate them into more advanced ways to login later.
The other unique aspect with Magic is that we use decentralized identity (DID), developers only need to deal with DID tokens signed by keys on the backend resource server, and the front-end key management form-factor can be very flexible (magic links, mobile authenticator, webauthn etc.) without having to change the backend code!
@_seanli Great product. I was lucky to have the glimpse of this during ETHDenver :)
I have a basic doubt here -
Consider a case where someone stole my device and somehow managed to get the device password. Now that person will be able to get into the app via clicking on the magic link from the email client. How do you take care of the security in this case?
@meakaakka Thanks Akash! Magic link relies on the users' security of their email. It's a good place to help users get started, the goal here is progressive disclosure, eventually graduate users towards more sophisticated device based login via WebAuthn / our own mobile authenticator app
@_seanli got it. The challenge here is to let users get familiar with the magic link flow. And I think a mobile authenticator app would surely fix this security issue.
Report
This is amazing and looks pretty simple to integrate. I will give this a try.
Is there any other way to send links other than emails? What other applications can this be extended to other than logins?
Great Job!
@soham_g Thanks so much! We are working on WebAuthn and mobile authenticator app for one-click login first, then we may explore other ones like phone number.
Magic
Magic
Memo
Jasper
Magic
Magic
Magic
GitHub Reader
Magic
GitHub Reader
Magic