Magic SDK offers the integration of Passwordless Authentication for developers of DaPPs on Ehtereum. They just announced their support for Tezos as their first non-EVM (Ethereum Virtual Machine) chain. To put it in simpler words: Magic has developed an easy way for developers of DaPPs to build a secure way to log-in to DaPPs. Magic is an SDK: a Software Development Kit. SDK's are the software version of IKEA: it provides all the bits and pieces to build your own tool, in this case a secure way to log-in to a DaPP. This will help developers to enable users to log-in without the use of a new password, but simply through a link that is provided via email. This is a user-friendly method, but also a safer method than password verification.
Formatic, the company that created Magic, had previously only focused on Ethereum. But growth of the Tezos ecosystem has brought Tezos to the attention of Formatic.
"Tezos is a solid contender to the generalized blockchain ecosystem, with a blossoming developer community and capabilities like on-chain governance, a Proof-of-Stake consensus algorithm, and the ability to facilitate formal verification of smart contracts. These features make Tezos an ideal long-term solution for high-value financial applications. Combined with a growing community of developers, there is a clear potential for exciting and high-stakes applications with the right set of tools in place." - Source
We heard that sentiment before with Truffle that just started to offer tools for Tezos after years of pure Ethereum focused products:
"We chose Tezos as our first non-EVM (Ethereum Virtual Machine) chain because of its blossoming developer community. In our position as tool builders, we go where the market takes us: If enough people ask for Tezos support, we listen." -Source
A pure decentralized blockchain like Tezos without any marketing campaigns or branding will need a bit more time to get traction, but we can see the writing on the wall more and more clearly: Tezos is a platform worth building on for long-term functionality.
Magic SDK
Let's dive a little bit deeper in what Magic SDK offers. It offers a secure way to log-in, without the need for users to set up a password.
Password log-in systems are not the safest way to protect accounts that hold value. Data breaches happen often and have serious implications. Methods where only the "hash" (encrypted version) of passwords are stored aren't safe either when large numbers of passwords are stored in one database. Data breaches in those cases increase the success rate of brute-forcing passwords where large numbers of encrypted passwords can be brute-forced in bulk.
Magic also prevents successful hijack-hacks. Hijacking user sessions are limited in usability if important features or transactions within the App require re-authentication without (merely) relying on passwords.
The solution in this case is authentication based on private- public key authentication. Blockchain-based apps are very much suitable for this, since blockchains already rely on private- public key authentication. (Blockchain transactions are signed using private keys.) So blockchains (previously just Ethereum but since yesterday also Tezos) can easily provide the keys needed for this type of log-in setup. The private keys are stored in HSM's (Hardware Security Modules). Once users want access to their app, they request an authentication link that will give them access. Magic SDK uses "magic" links, which are temporary URL's that expire over time. Clicking these links authorize you to sign in. These links can be sent over e-mail which allows you to sign in via e-mail into any app that uses Magic SDK. This way Magic SDK provides a secure log-in system which does not require password verification.
This offers multiple advantages.
From a users point of view:
- An improved form of security
- No extra password to remember
From a developers point of view:
- Not managing passwords and fully outsourcing the log-in process, eliminates password-related overhead. (Support tickets or any other form)
- The need to create another username and password to get access to a new app, causes an extra obstacle and friction for users to start using a new app. The absence of a password-based registration improves conversations with an estimated 54%