The Magic Advantage: Future-proof Security and Privacy

Trust is critical to everything at Magic.

Earning and keeping your trust is the top priority. Magic actively maintains a high bar for security and privacy.

Whether you’re looking to build a new application or curious about the robust security program at Magic, read on to learn more about the rigorous measures that protect you and your users, from start to scale.

Our specialized cybersecurity roots

Magic was founded on the premise of uncompromising security, specifically in high-stakes, adversarial environments.

From the beginning, Magic specialized in blockchain-based identity and authentication, with an early focus on decentralized applications. Magic’s founders are the inventors of Delegated Key Management (pat. pend. USPTO 62/904689), which leverages proven public-private key cryptography, rather than a traditional password model.

You might be wondering, why key pairs over passwords?

Passwords have proven to be a weak form of security time and time again. High-profile data breaches and substantial collateral damage have impacted businesses and users on a global scale. The overwhelming consensus is that passwords are obsolete (for a deeper dive, Eric Elliott wrote an excellent piece on this precise topic). In 2014, Bill Gates proclaimed passwords “cannot meet the challenge” of keeping critical information secure.¹

Instead of transmitting a password — a secret in its raw form, dangerous if leaked — to developers’ servers, key pairs let you prove your identity without transmitting secrets over the wire.

Magic leverages Hardware Security Modules (HSMs) to heavily secure dedicated signing keys and delegates encryption and verification operations to trusted 3rd party services: Amazon Web Services’ Key Management System (KMS) and AWS Cognito. These keys never leave the hardware and are unable to be exported; all encryption and decryption operations happen inside the hardware itself.

With Magic, users’ private keys are secure, protected, and wholly owned by users themselves.

Since Magic’s inception, the system has been non-custodial (the standard for trust amongst crypto communities) in order to safeguard trust with developers and end-users.

Delegated Key Management is Magic’s essence, and it’s been securing hundreds of thousands of user private keys for thousands of blockchain companies. Expertise in cybersecurity is anchored on experience defending against sophisticated hackers in the Web 3.0 financial space.

Security that puts users first

To put this decentralized approach into perspective, stack it next to a familiar flow that many centralized identity providers offer.

Often when you set up a new account, standard options to choose from are social login or OAuth, which stands for Open Authorization. Many large companies, from Apple to Facebook and even GitHub, provide OAuth services as a way to let users approve one application interacting with another on your behalf.

For example, “Sign Up with Google.” It’s fast, it’s easy, but is it safe? As you authorize another service to use your Google credentials, the burden of security is on Google.

Perhaps the biggest question to consider is whether linking your digital identity to Google is a wise decision at all. Ongoing headlines and lawsuits surrounding Big Tech’s commercial surveillance highlight significant misaligned priorities. Users trade convenience for privacy, while platforms exploit this for profit.

Social Login is like the valet key to your car. Give that to Big Tech and your every move helps them generate revenue.

Unfortunately, centralized ecosystems like Google and Facebook are quite comfortable with the status quo. New products and features are powered by massive troves of data collected on billions of people every day. Developer and user lock-in means more valuable data to harvest, which fuels their advertising business. In a post-Cambridge Analytica world that is growing increasingly leery of major tech companies that track people, the extent of data collection has deep implications on user trust at large.

Magic enables developers to integrate with the largest OAuth providers in the industry, though we maintain our commitment to portable, user-owned identity. When users log in with social login, Magic helps you generate a personal key pair, and accounts can be migrated between or off of social login providers on demand.

Privacy and security protections

The good news is there’s good news. Magic is not a centralized identity provider and is not interested in tracking user data to boost a bottom line. It’s not the business model.

Magic is focused on developer-friendly tools that make passwordless authentication simple, seamless, and most importantly, secure. Magic plans to become the pragmatic passport of the internet, and bring self-sovereignty to internet users without reliance on Big Tech.

When users sign in with Magic authentication, no secrets are passed around, eliminating the chance for lost or stolen passwords. With a few lines of code, developers can leverage elliptic curve cryptography and public-private key pairs to authenticate users into applications.

In this way, Magic acts as the trusted facilitator, providing secure auth flows with zero visibility into users’ private keys.

Private keys belong to users. Magic respects that.

End-to-end security benefits are built into the auth solution:

• Encryption and key management — Users’ identities are protected by Magic’s patent-pending, SOC 2 compliant, Delegated Key Management system built on hardware security models (HSMs). Data is encrypted at rest and in transit, and private keys are never transmitted.
• Risk management — Secure information handling is built by design within the security architecture. Private keys are managed, but never exposed to Magic or your applications, significantly reducing the risk of a compromise and maximizing business continuity.
• Device security — Browser and multi-platform support for cryptography is tested regularly. Magic keeps up-to-date with any patches, device changes, and new operating systems.
• Continuous monitoring and vulnerability management — Best practices and processes are leveraged to detect, mitigate, and prevent targeted and DDoS attacks.

In addition, privacy protections are covered:

• Information privacy & security governance — As a global organization, Magic hires external auditing firms to validate GDPR, CCPA, and international privacy standards.
• Email deliverability — Magic collaborates with trusted email sender lists, navigates spam filters and allow-lists, and works with a collection of backup and fallback providers.
• Identity and access management — No one at Magic can access your private keys, and production deployments are tightly controlled.
• Free from lock-in — Your apps stay resilient and free of de facto lock-in from a centralized identity provider.

A compromise for Magic does not compromise you or your users.

Compliance & certifications

As a security-first company, Magic goes to great lengths to ensure comprehensive protection, effectiveness, and reliability for customers. The infrastructure has been thoroughly audited by NCC Group and A-LIGN and is SOC 2 Type 1 compliant (SOC 2 Type 2, GDPR, HIPAA, and ISO 27001 in progress). Magic has taken all steps to implement controls and procedures — privacy, security risk mitigation, confidentiality, and business continuity — as required or suggested by compliance bodies.

Magic is also insured for cybercrime damage and loss.

SOC 2 Type 1

Magic is Security Organization Controls (SOC 2 Type 1) compliant, with a Type 2 Audit in progress.

Third Party Testing

Magic undergoes twice-yearly red-team testing by reputable third party auditors.

Bug Bounty through HackerOne

Magic participates in white-hat hacker events and runs a private program on HackerOne. Your help with identifying potential issues and ways to improve our service is always appreciated. If you identify a valid vulnerability, please send us a message at security@magic.link with your H1 username to be eligible for a reward.

SLAs

Service Level Agreements on site uptime and reliability, with 99.99% uptime.

ISO27000 Series

Magic is obtaining ISO certifications, international standards within the Information Security space.

GDPR

Magic is committed to support the Data Controller articles and suggestions of the EU General Data Protection Regulation (GDPR).

HIPAA

Magic is actively pursuing HIPAA compliance.

Peace of mind from day one

In the digital era, cybersecurity practices are complex and ever-evolving.

Staying current with advanced security and privacy is an ongoing effort requiring dedicated energy and expertise.

At Magic, your privacy and security are always top of mind. Magic takes care of the intricacies and compliance, so you can focus on developing amazing applications. Starting in Web 3.0 inspired this decentralized approach to digital identity — key-based cryptography over passwords — and has built a battle-tested, future-proof authentication foundation that scales with you and your users.

Magic empowers developers with tools that make passwordless authentication simple, with the best user experience and long-term security built-in.

If you have any questions about how Magic achieves security, privacy, and compliance, please message us at security@magic.link and we can talk!

Learn More About Magic ✨

Website | Documentation | Security | GitHub | AngelList | Twitter

References

[1] Munir Kotadia, “Gates predicts death of the password”, https://www.cnet.com/news/gates-predicts-death-of-the-password/, Feb 2004