In this article:
- How MetaMask's security differs from traditional web accounts
- What is a Secret Recovery Phrase?
- Secret Recovery Phrase Dos and Don'ts
- Secret Recovery Phrase FAQs
- Passwords and MetaMask
- Private keys FAQs
MetaMask: a different model of account security
Public blockchain technology uses a very different set of tools to secure user data, compared to traditional online technologies. Most of us are used to creating an account with an app, or service, or what have you, and being able to, for example, write to Customer Support to reset our password, or username; we're used to the app keeping our data, presumably on some sort of computer that belongs to the company.
Well... MetaMask doesn't work like that. MetaMask has three different types of secret that are used in different ways to keep your wallet, and your accounts, private and safe: The Secret Recovery Phrase, the password, and private keys. We'll walk you through these secrets one at a time.
Intro to Secret Recovery Phrases
One of the key (you'll see what I did there) technologies underlying MetaMask, and most user account-related tools in the crypto space is the seed phrase, or as it's referred to in MetaMask, your Secret Recovery Phrase.
All of your accounts are mathematically derived from your Secret Recovery Phrase. You can think of the SRP like a keyring, and it holds as many private keys as you could want: and each one of those keys controls an account.
Now, if you want a technical explanation: Seed phrases as we know them today were codified for usage in Bitcoin, according to a standard referred to as Bitcoin Improvement Proposal 39, or BIP-39. In simple terms, a series of words are selected with a high level of randomness from a specific list of words. In MetaMask and many other Ethereum-compatible technologies, there are 12 words in a seed phrase. Some older seeds generated by the Brave browser, and some hardware wallets, use 24-word phrases.
Each one of these words corresponds to a series of numbers, and when placed in a specific order, represent a much more user-friendly way to remember a very, very long number. That number is then used to deterministically generate your accounts, and you may hear people refer to deterministic wallets. In computer science, deterministic is used to describe a process (usually an algorithm of some kind) that will always generate the same result. In other words, your Secret Recovery Phrase will always generate the same set of accounts derived from it.
There are a number of important features to note here:
- The Secret Recovery Phrase is the secret that controls the wallet. If someone has this secret, they have complete access to the wallet. MetaMask does not keep your SRP: you are the custodian of your wallet. MetaMask representatives will never ask for your Secret Recovery Phrase, even in a customer support scenario. If someone does ask for it, they are likely trying to scam you or steal your funds.
- Your SRP is used locally to derive private keys, one per account/address. Accounts are stored on the blockchain, and these private keys unlock those accounts.
- If you uninstall the app or the extension, then the local version of the data is gone (the notable exception being the vault), but any transactions you performed with that local version of MetaMask will have been recorded on the blockchain. Therefore, the transactions should be reflected both on a block explorer, and in another instance of MetaMask, so long as you restore using the same Secret Recovery Phrase (with the words in the same order). This means that so long as you have your Secret Recovery Phrase, you will always be able to uninstall MetaMask and restore your wallet.
- Within your wallet, you can have a very large number of separate accounts. When MetaMask creates or restores your wallet from the Secret Recovery Phrase, it initially produces only the first account. However, any additional accounts you create can be re-created in a future instance of MetaMask; as the wallet is deterministic, it will always re-create the same accounts, in the same order. For more on this issue, see the FAQs below. Note, however, that the additional accounts (beyond the first, automatically labelled 'Account 1') will not be automatically re-added to your account in all circumstances. See our explanation here for more information.
- It is possible to import accounts from other Ethereum-compatible technologies into a MetaMask wallet. To do so, the private key of that specific account is used. However, this account will not be automatically restored by MetaMask in another instance; you will have to manually re-add it. Therefore, if you have manually imported accounts, make note of their private keys, in the same way you did your seed phrase, in order to be able to re-import them in the future.
MetaMask Secret Recovery Phrase: Dos and Don'ts
- Write down your Secret Recovery Phrase somewhere safe
- Double-check your spelling and that you wrote down every word in the same order they were given
- Reach out to MetaMask Support's official channels if you need help
- Keep it in an easily discovered or easily hacked location; e.g. in a cloud-saved document or email titled "Seed Phrase"; on a post-it note stuck to your computer.
- Provide your seed phrase to anyone, even if they say they're from MetaMask Support
- Change the order of the words
Secret Recovery Phrases: FAQs
My seed phrase restored a different account!
Other Secret Recovery Phrase FAQs:
Passwords and MetaMask
MetaMask uses passwords for a single purpose: to secure the app itself; in other words, to open the app, be it the Mobile app or the in-browser Extension. Once you've restored or created your wallet from your Secret Recovery Phrase, you won't need it on a regular basis (although you should keep it backed up and safe), and you will use your password (or more commonly on Mobile, biometric authentication such as facial recognition or your fingerprint) to unlock the app. For more details, see our article here.
While a Secret Recovery Phrase is used to create and restore your entire MetaMask Wallet, including all accounts created in that wallet, each account has its own private key. This key can be used to import that account, and that account only, into a different wallet. Similarly, single accounts from other crypto technologies can be imported to your MetaMask wallet.