The present-day Internet is monopolized by a few Big Tech companies that we’ve come to rely on daily as we browse online. The incentives surrounding users and these large technology firms are now misaligned. Sean Li (CEO), Arthur Jen (CTO) and Jaemin Jin (Chief Blockchain Officer) came together as three cofounders to create Magic, a tool to “integrating unstoppable passwordless authentication” seamlessly into one’s modern tech stack.
The San Francisco-based startup has raised a $27M Series A (for a total of $31M raised) from lead investor Northzone, Tiger Global, Volt Capital, Digital Currency Group, CoinFund, and previous seed round investors Placeholder, Cherubic Ventures, SV Angel, Naval Ravikant, Guillermo Rauch. In addition, several notable angels are participating, including (but not limited to): Alexis Ohanian (Co-founder of Reddit, Initialized Capital), Balaji Srinivasan ( Ex-CTO at Coinbase, Co-founder of Earn.com), Ben Pruess (President at Tommy Hilfiger, Ex-VP at Adidas), Casey Neistat (YouTuber w/ 12M subscribers), Guillermo Rauch ( CEO of Vercel & Next.js), Jacob Jaber (CEO of Philz Coffee), Jason Warner ( CTO of Github), Kayvon Beykpour ( Head of Consumer Product Twitter, Founder Periscope), Naval Ravikant (Co-founder of AngelList), Roham Gharegozlou (CEO of Dapper Labs), Ryan Hoover ( Founder of Product Hunt, Weekend Fund), Sahil Lavingia ( CEO of Gumroad), Scott Belsky (CPO of Adobe, Author of “The Messy Middle”), Soona Amhaz ( General Partner at Volt Capital / TokenDaily), Varsha Rao (CEO at Nurx, Ex-COO of Clover Health, Ex-Head of Global Ops at Airbnb).
Prolific angel investor Naval Ravikant says, “Magic points the way towards a world in which user identity and authentication is decentralized and not subject to control by the tech giants.”
Frederick Daso: How did we arrive in our current situation where we are severely dependent on big tech companies to access key services in exchange (and as a byproduct of) our personal information?
Sean Li: We’ve seen total internet users grow exponentially, from 0.4% to 65.6%, in the past 25 years. The reality is, big tech companies reap the benefits from this spectacular growth. As apps become more vital to our everyday communication, work, and play, users’ number of entry points multiplies. Big tech capitalized on this by offering sign-in with an existing username and password. The result is that these companies become centralized custodians, amassing troves of user identity data and creating single-points-of-failure with “too big to fail” level risks.
This problem compounds itself. One password leaked makes other compromises easier, and the rate of stolen passwords is only accelerating as more companies move online due to the pandemic.
Facebook’s most recent data breach compromised phone numbers and personal data, making it easier for hackers to impersonate users and scam them into handing over login credentials. As a result, over 500 million users’ data were leaked.
Big tech is not incentivized to take a step back and rethink how user authentication and identity should evolve to meet the needs for the future — where our lives are inseparable from the digital world. We are now living in a post-password era.
Daso: What are the incentives that are at play that created the current digital ecosystem as it is today? How are these incentives misaligned concerning the average Internet user?
Li: Many big tech companies happen to also be identity providers. While the core business model is not to provide identity and authentication for the average internet user, collecting user data fuels and optimizes monetization. This is the major misaligned incentive. As a result, user security, privacy, and self-sovereign identity are quite low priorities. How users authenticate into online services has experienced almost no innovation in the past decades. Passwords are obsolete, and yet it’s still a prevalent form of authentication.
However, on a positive note, we have seen more trailblazing companies, like Slack and Medium, that pioneered passwordless logins via email-based magic links. That’s helped raise awareness of alternative authentication methods and inspire many more security and UX-conscious companies to adopt magic links!
Daso: Why has technological innovation in authentication stagnated for the past three decades? Are the misaligned incentives stated and discussed above also affecting our efforts to innovate in this space?
Li: Passwords are a flawed security measure for users to verify their identity. Over 80% of hacking-related breaches used stolen and/or weak passwords. The password management market is now worth billions and growing rapidly, generating lucrative profits for businesses that incentivizes them to keep many password-related problems unsolved.
With the rise of password managers, the industry has also developed the habit of passing the responsibility for account security to the average internet user, who likely does not know online security. In addition, compromised users are often blamed for having poor cybersecurity hygiene.
This cycle results in complacency. I believe we need to solve this problem at its root. By giving developers the tools to easily add more secure authentication methods to their app, users won’t have to wrestle with password-based login in the first place. Average internet users shouldn’t be burdened with the complexity of managing their online security. True tech innovation in the auth space will help to restore user trust on the Internet, which is the heart of Magic’s mission.
Daso: How are you able to “future-proof” authentication? How can your solution be essentially time-invariant to evolving conditions and future needs in the authentication process?
Li: Instead of usernames and passwords, Magic uses public and private keys to authenticate users. A decentralized identifier is signed by the private key to generate a valid authentication token that can verify user identity.
Traditionally, usernames are unique, publicly recognizable identifiers that help pinpoint a user. In contrast, passwords are secrets created by the user and are supposed to be something only they know.
Public and private keys are materially improved versions of usernames and passwords. The public key is the identifier, and the private key is the secret. Instead of being created by users and prone to human error (e.g., weak/repeated passwords), the key pair is generated via elliptic curve cryptography that has proven itself as the algorithm used to secure immense value sitting on mainstream blockchains like Bitcoin and Ethereum.
Using blockchain key pairs for authentication gives Magic native compatibility with blockchain, supporting over 14 blockchains. This lets developers using Magic tap into the potential of the rapidly expanding blockchain industry that is growing 56.1% year over year and is projected to reach $69.04 billion by 2027.
The key pairs are also privacy-preserving (no personally identifiable information) and exportable. This allows user identity to be portable and owned by the users themselves (self-sovereignty). The world is already moving towards this direction with pioneering solutions from companies like Workday and Microsoft.
Daso: Specifically, what antiquated authentication procedures are holding behind areas of the modern tech stack? What added functionality and benefit will tech companies’ infrastructure gain with the adoption of Magic?
Li: Modern-day applications are rarely built from the ground up and instead built with composable and interchangeable “developer LEGOs,” each responsible for a sliver of an application’s functionalities, e.g., storing and organizing catalog with a CMS processing payment, providing advanced search, etc. Applications built using Jamstack technology are great examples of this.
If this is the new trend, then why isn’t authentication, an essential piece of infrastructure, a more common “LEGO piece”? This is because companies offering antiquated password-based authentication methods introduce significant platform-lock risks. Passwords may be hashed and stored differently across platforms. It’s also a one-way procedure. Once hashed passwords are stored within a company’s infrastructure, they cannot leave. This makes it nearly impossible for a developer to switch to a different authentication platform without a severe impact on the existing user base. This is a big reason why many developers are still building auth themselves despite the cost and challenges.
Magic is passwordless by default, so there’s no lock-in from storing passwords. Developers can swap Magic out for an alternative solution or their own in-house implementation without impacting their end-users. We are also not afraid to push the boundaries of authentication by adopting new standards like WebAuthn and creating an SDK that lets developers add hardware/biometric-based authentication with just a few lines of code.
Magic is designed with scale in mind and will grow with our customers, as many of them have large, rapidly growing user bases. Developers can also easily plug Magic SDK into modern tech stacks like Jamstack and low/no-code platforms like Webflow. Magic’s security is also constantly evolving. We conduct routine audits and have plans to further improve our security by adopting continuous and behavioral-based authentication.
Daso: We’ve discussed before how the password itself was the weak link in online security for users and how you’re creating Magic for developers to adopt so the former doesn’t have to deal with passwords ever again. However, developers are known to being an inconsistent type of customer to serve. So beyond removing a developer’s burden to create and maintain their own authentication protocols around user passwords, what other authentication factors do developers care about, and how have you designed Magic to attend to their concerns?
Li: Since authentication is the critical path for users, there is quite some inertia from developers to change it once it’s implemented. This results in strong retention for Magic, as we provide the necessary peace of mind developers need with any authentication solution to focus on building what matters for their business.
Developers also care a lot about reliability and availability. So we’ve partnered with vendors to ensure login emails are delivered quickly and reliably to users’ inboxes, as well as operating with 99.99% uptime. Magic also makes extending the default email-based magic link login a breeze, like adding social and WebAuthn login, with SMS and multi-factor authentication coming soon.
Magic’s value proposition doesn’t stop at just the developers. With this new round of funding, we’ll expand our feature set for businesses and teams.
Daso: I remember the first time we spoke, you described Magic as creating a passwordless future. Now, you’ve expressed Magic’s vision as the passport of the Internet. What has motivated this reframing of your company’s vision, and how does it center individual users first before massive tech companies?
Li: Building decentralized, future-proof authentication has always been our goal, and building the passport of the Internet is a more tangible way to describe it to help more people grok our vision.
Creating a passwordless future is a necessary first step as authentication cannot be future-proof without it. So in many cases, I choose to keep it simple and focus on eliminating passwords, which will also resonate with less technical audiences since most people hate passwords.
I often compare what we are doing at Magic to planting trees for reforestation to the team. Every user we help onboard to decentralized forms of identity is a tree planted. When users interact with applications powered by Magic authentication, they are automatically onboarded to decentralized identity, which is fully owned by themselves instead of big tech companies. The fastest way for us to get there is by building the best auth product for developers – empowering them with the world’s easiest way to integrate Magic into their applications.