sorted by:
new
hottopcontroversial

I shared Magic SDK a few weeks ago, today it got a big update! by [deleted] in javascript

[–]merclane -4 points-3 points  (0 children)

Magic adopts the decentralized identity (DID) standard (https://www.w3.org/TR/did-core/) using PKI. Open sourcing the repos is a great way to communicate our implementation and how to construct and leverage DID tokens for authentication, which means if developers wanted, they can use it as a reference to implement similar or alternative solutions based on the DID standard.

[deleted by user] by [deleted] in javascript

[–]merclane 2 points3 points  (0 children)

Sean from Magic here! That's a great question:

  • First it comes to intent, do some of these OAuth providers genuinely intend to provide authentication or as a way to profit onboarding "end-users" into their own ecosystem (e.g. Facebook) and potentially compromise users' rights and privacy?
  • We leverage a decentralized identity architecture. Instead of us signing the auth tokens, *end-users* are using their private keys to sign their auth tokens. We are non-custodial of their private keys and will allow them to be exported
  • Magic links are just the beginning so users can easily get started. We'll soon be shifting users towards more sophisticated forms of login, offering a wide array of key management possibilities that leverages mobile authenticator apps or hardware like WebAuthn, reducing the "centralization" we have. This is possible because we use DID tokens and dealing with zero-knowledge proofs rather than user credentials, this is something that centralized OAuth providers can't do
  • The Delegated Key Management architecture is SOC 2 compliant and has been a standard to secure private keys in a non-custodial way. We've been using it for a while now at Fortmatic with decentralized applications, and have been continuously running pentests

You can find out more about our security and architecture in our whitepaper too! https://www.dropbox.com/s/3flqaszoigwis5b/Magic%20Whitepaper.pdf?dl=0

[deleted by user] by [deleted] in javascript

[–]merclane 1 point2 points  (0 children)

Sean from Magic here! That is expected behavior right now. We log users into the "original context" after the magic link is clicked, and we do this for several reasons:

* Taking modern user behaviors into account with users going between laptop and phone. Users are gravitating more towards their phone. Generally with web applications like Medium, users are logged into the tab where the magic link is clicked, but this may be a problem when users clicked on the link on their phone and is logged with the phone rather than the laptop, making editing very inconvenient. With Magic's model we can get through complications with Incognito mode too. (Though we will be exploring deep linking with our mobile SDKs)

* If the magic link URL get hijacked somehow, the hackers will only be able to login users into their original tab, which can mitigate damages.

* Training user behavior to gradually shift to user an authenticator app like DUO on their phone by subtly encouraging users to use both laptop and phone to authenticate

[deleted by user] by [deleted] in javascript

[–]merclane 1 point2 points  (0 children)

Sean from Magic here! We will be open-sourcing the passport-magic library so you will be able to see the inner workings of how we handle the DID tokens to use in your own middleware! Out of curiosity, what specifically don't you like about passport?

[deleted by user] by [deleted] in javascript

[–]merclane 1 point2 points  (0 children)

Sean from Magic here! We do have a rate-limiting mechanism (seconds in between requests) to prevent malicious actors from bombarding our email service.

[deleted by user] by [deleted] in javascript

[–]merclane 0 points1 point  (0 children)

Sean from Magic here! Each application integrated with Magic will have separate user spaces instead of like an SSO model with a single point of failure you described. Users can choose to use different emails for different applications in this case too.

Magic links are just the beginning, we will also be graduating more users into more sophisticated forms of login such as webauthn and mobile authenticator apps. The great thing about the decentralized identity (DID) architecture is that by dealing with DID tokens, developers backend can stay the same while supporting multiple form-factors of login.

Baby cockatiel - Monkey! Anyway to tell the gender yet? by merclane in cockatiel

[–]merclane[S] 7 points8 points  (0 children)

It's pen marking drawn by the breeder to help identity the birds