Magic’s goal is to meet companies wherever they are on the path to Web3 adoption—from exploring authentication options to fully integrating with a blockchain, Magic provides solutions that developers and enterprises alike can trust. Our mission to onboard the next billion users to Web3 is not just a catchphrase, it’s a foundation that affects how we address security at every aspect of the user journey.
Magic doesn’t use passwords; there’s another option.
Passwords are only one (obsolete) way to handle authentication. Magic utilizes one-time passcodes to grant access. Delivered through email, these passcodes are time-bound tokens that enable authentication without having to store and maintain passwords. Optionally, Magic also partners with social providers to leverage cross-platform authentication for our products.
Phishing is an ever-present threat on the internet
Since the creation of the internet, hackers have leveraged phishing to direct victims to authentic-looking pages to attack them or steal their credentials. Hackers can craft incredibly realistic pages, utilize social engineering to entice victims to connect, and capture credentials for later use in direct attacks or credential-stuffing attacks elsewhere on the internet.
Magic’s approach to authentication makes phishing much more difficult. Because Magic uses time-bound tokens, any credentials captured from successful phishing attacks have the same limited shelf life. Magic’s innovative approach to device registration for authentication, for customers who wish to take advantage of it, dramatically increases the difficulty of phishing attempts.
Once an end-user uses their time-bound token to establish a session with Magic, Magic generates a key pair based on the Ethereum blockchain. The public key acts as an identifier for the user. Leveraging elliptic curve cryptography, the private key is used to generate a verifiable proof of identification and authorization from a claim. The proof is then sent to the developer application servers where data in the claim can be recovered, and the authenticity of the request can be ensured. Authentication and authorization are achieved without requiring user passwords. The claim format is an adaptation of the W3C Decentralized Identifiers (DID) protocol. Learn More about Magic DID’s here.
