Magic is a passwordless authentication system. It starts with “magic links,” where you’re e-mailed a login link instead of providing the usual username and password. Magic makes it quick and easy for developers to implement this model in any application. But behind the scenes, you’ll find a robust security platform built on secure hardware and user-owned encryption that paves the way for broader adoption of Web 3.0 technologies.
Magic’s security overview does a great job of describing the security guarantees of the service, but here’s a quick summary. Normally, an application stores both your username and password and authenticates you internally. This is a huge security flaw because it means anybody who breaks into the application’s servers can potentially break into all accounts. And by storing both your username and password the service operator has effective control of all your data even if everything is encrypted internally. Magic also points out that “81% of all breaches are due to passwords, and 59% of people reuse their passwords everywhere”. So the failure of one service often cascades into other breaches.
An account in Magic is actually a unique cryptographic public/private key pair instead of the usual credentials. The public key is like a username (safe to share) and the private key is like a password (which must be kept safe). These come with two important features. First, the owner of a key pair can digitally sign any data in a way that others can verify its authenticity using the public key because only the holder of a private key can create a valid digital signature corresponding to that public key. Second, you can encrypt data such that only the owner of the private key can decrypt it.
Apps that use Magic authentication see your public key but never your private key. When you sign up, Magic generates a unique key pair on your device, specific to that application. When you log in, Magic has your device create a DID-compliant signature using the corresponding keys, and forwards it to the application. If the signature matches the public key, you’re in. No passwords.
Critically, Magic itself cannot see or access your private keys either. User keys are stored in dedicated hardware security modules (HSM) in specialized AWS centers. Each account has a dedicated HSM instance that only the user’s devices can access. Magic’s SDK manages the client-side flow of transactions between your devices, your HSM, and the application’s servers without exposing the private key. They do store encrypted copies of private keys for backup and recovery, but again only the user’s devices can decrypt them. It’s like having your own hardware wallet in the cloud.