Web3Auth vs Magic — How to choose your Key Management Solution

Comparing two of the leaders in the wallet/ private key management space, Web3Auth and Magic.
Web3Auth vs Magic — How to choose your Key Management Solution

Authentication is one of the most important components of any application and as the Web3 movement grows, wallet & private key management becomes its most critical aspect. The right to own your own key and the right to own your own identity.

For any dApps, the fundamental question is — how are you managing your users’ wallet? Keeping in mind this critical question, we are comparing two of the leaders in the wallet management space, Web3Auth and Magic.

Before we deep dive into the technical details and comparison, let’s understand what these solutions are trying to achieve. Both Web3Auth and Magic replace seed phrases with intuitive one-click logins making onboarding into web3 seamless while giving control to the application to manage their flows.

Further to that, the infrastructure and usage of both the platforms is very different and needs a deeper understanding. For this, we will be comparing the two platforms on the following aspects:

  1. Wallet Management: How the users’ private keys are managed and held safe?
  2. Authentications Options: How many types of authentication and 2FA methods are supported?
  3. Multichain Support: How many blockchains are supported and utilised?
  4. White Labelling and Customisation: How much control the developer has on the UX flows?
  5. Scalability: How the platforms perform for applications at scale.
  6. Ease of integration: How easy it is to implement a basic instance of the platform.
  7. Open Source & Native platforms support: How much code is publicly available and audited? How many platforms are supported?

Differences in Wallet Management Infrastructure

According to the Magic’s Whitepaper,

Magic’s Delegated Key Management leverages Hardware Security Modules (HSMs) provided by Amazon Web Services’ Key Management Service (AWS KMS). Dedicated user master keys generated using AES-256 with 384-bits of entropy are stored on the HSMs. The master keys never leave the hardware as they are meant to be locked inside and unable to be exported. All encryption and decryption operations happen inside the hardware modules themselves. HSMs are a lot like popular 7 FIDO devices like YubiKeys or hardware-based wallets for cryptocurrency storage such as Trezor or Ledger, but instead of traditional harddrive storage, they sit in the cloud, secured by AWS’s data centers.
Users’ private keys are encrypted by these hardware-based user master keys, which means that attackers need to gain access to the hardware to be able to retrieve the keys, and are forced to stay within Magic’s adversarial infrastructure — which is capable to detect, impede, and monitor attacker’s progress to prevent and mitigate any damages.”

Hence, we can see that Magic depends on Amazon Web Service’s (AWS) Hardware Security Modules (HSM) for their key encryption. The users’ private keys are encrypted by these hardware-based user master keys and stored separately in a multi-region MySQL database.. This approach is good in terms of speed and availability, however has a major flaw, wherein the entire private key sits encrypted on the cloud secured by AWS KMS which can be a single point of failure. Hence, we can regard their solution as a semi-custodial system.

Web3Auth is a fully non custodial MPC (Multi Party Computation) solution where the user keys are distributed across a network of nodes owned by the top firms in the crypto industry and the user’s own devices. This is enabled by an on chain node network distributed key generation followed by an off chain multi-sig. The key is never fully owned by anyone and only the user has the access to it via their own authentication methods. While making a blockchain transaction, the key is never reconstructed or stored anywhere, rather a series of partial signatures are done across the network and user devices and the final signature is generated for the transaction.

This infrastructure can be used across the world with node availability throughout the world with industry leading speeds and a surety that user keys are never owned by a single entity anytime.

You can read more about Web3Auth’s Wallet Management Infrastructure and the New MPC Solution.

Authentications Options

One of key features of Web3Auth and Magic is the support of any social, federated identity ( Auth0, Firebase, AWS Cognito, etc.) and custom JWT auth providers. This allows developers to integrate any kind of login method, provided they are using JWT ID Token for user registration.

In addition to this, Two Factor Authentication is a key aspect of keeping your accounts secure. Magic supports 2FA with mobile operators like Authy and Google Authenticator and/or SMS authentication giving you the traditional experience of 2FA.

Web3Auth introduces a new layer of security here with the introduction of Two Factor Wallets. Web3Auth actually uses its off chain multi sig to distribute keys into multiple devices and or SMS/ other authentication methods. This enables you to get a true decentralised 2FA setup where your keys are secured even if one of the authentication methods is compromised.

Multichain Support

Web3Auth’s SDKs are chain agnostic, ie. they can be used on any blockchain. Today there are thousands of dApps built on numerous blockchains that have integrated Web3Auth. On the other hand, Magic supports 20+ popular blockchains.

White Labelling and Customisation

Web3Auth allows applications and wallets to fully customise and whitelabel the solution. Using the various options of integration available, you can even make Web3Auth totally invisible in the user flow focusing totally on your application end to end. Magic does provide a range of customisation options, but it is limited as compared to Web3Auth.

Scalability

Both the solutions do very well in terms of scalability of users and availability across multiple regions. Being hosted on AWS HSMs, Magic is available worldwide within their servers. These servers are owned by Amazon.

Web3Auth’s network of nodes are hosted worldwide and by trusted industry leaders like Polygon, Binance, Tendermint, ENS, Etherscan etc. Additionally, with the new Sapphire network of Web3Auth, applications can choose to run their own nodes in addition to the nodes available publicly giving them flexibility and control over their user scalability.

Ease of Integration

A basic integration of both the platforms is quite easy and straightforward. With Web3Auth a basic of the Plug and Play SDKs requires just 4 basic steps and with excellent documentation and examples guiding you throughout the journey of building your own customised solution. A basic integration takes less than 15 mins of work and no extra customisation is required for being production ready. You also have the flexibility to migrate to a more advanced integration with our range of SDKs available for different use cases and platforms. We also have an integration builder which, according to your requirements, shapes up a ready to use code that can be directly implemented in your application.

A basic Magic integration takes a similar approach with one additional step. You need to use custom authentication for using any social login provider apart from email passwordless. Their documentation and guides are great to follow along and one can figure out how to implement them easily.

Open Source & Native Platform Support

Open source is at the heart of decentralisation. Both Web3Auth and Magic have strong multi platform support and an active open source community around their products. Web3Auth supports Android, iOS, Flutter, React Native, Unity and Unreal Engine. Magic supports all of them except Unreal Engine. They additionally support PHP and WordPress logins.

At Web3Auth, all these SDKs are open sourced alongside our core infrastructural SDKs and smart contracts controlling the nodes as well. These are fully audited by some of the top smart contract auditing firms in the world. For Magic, the SDKs are open source, while the encryption and DKMS remain closed source.

Final Thoughts

Although Magic is a great product in terms of getting your users onboarded into the Web3 world, it is evident that Web3Auth has a clear advantage on the core infrastructure level over them. Being a more advanced product with a greater emphasis on security, non-custodiality, and customisation, Web3Auth becomes a clear choice in almost every situation where user wallet management and recoverability is an involved factor.