Going Beyond The Secret Recovery Phrase In MetaMask With Account Management Snaps (Beta)

Blockchain technology holds immense potential, promising a decentralized, censorship-resistant, and permissionless internet. However, the complexity of blockchain protocols like Ethereum necessitates an interface for users to harness this potential. 100 million users later, MetaMask has become that interface for many, although it’s got here despite a bit of a problem.

That problem is the fact that every user who wants to claim a self-custodial wallet with MetaMask needs to record a twelve-word Secret Recovery Phrase as they are onboarded. These twelve words form the crux of the MetaMask experience, generating the cryptographic keys that create the accounts holding valuable assets.

When MetaMask started over seven years ago the Secret Recovery Phrase was an elegant solution to the problem of representing cryptographic keys (having its roots in the Bitcoin community as far back as 2013). The corresponding cryptographic algorithm is incredibly scalable, interoperable, and ultimately gives users a uniquely secure method to transport potentially limitless amounts of value around the world providing they can keep those twelve-words secret and safe.

However, maintaining the secrecy and safety of these twelve-words is a daunting task. I’ve personally read countless heart wrenching stories of MetaMask users reporting they’ve lost their twelve-words and so cannot access their funds anymore. Worse still, users often fall prey to phishing scams, handing over their Secret Recovery Phrase and having their assets stolen. This single point of failure also presents a tempting target for hackers.

It’s a bit clichéd for anyone familiar with this problem to reiterate once again, but there has to be a better way.

Hardware Wallet Integrations As A Stepping Stone

For a while, MetaMask attempted to solve some of the problems with the Secret Recovery Phrase by integrating as many different hardware wallets as possible. These are devices that store cryptographic keys offline, and so make it much more difficult for a hacker to infiltrate. Following this strategy, we started to integrate all the major hardware wallets available.

The Grid+ Lattice 1, Ledger Nano X, Trezor Model T, and Keystone Pro are just some of the hardware wallets integrated with MetaMask. More info at MetaMask’s hardware wallet hub.

However, these integrations are labor intensive, technically challenging, and require careful partnership management. By way of example, our MetaMask Mobile Ledger integration has been delayed by over a year (we’re still working on it though, I promise!). Additionally, as a result of these challenges, we’ve had to say “no” to numerous other integration requests over the years, even when a company has come to us with a fully functioning branch of the MetaMask codebase supporting their product (sorry BitBox!). With everything else we’re trying to accomplish, it’s just impossible to spare the time to review those hundreds of lines of code and then finally merge, while also ensuring our high security and stability standards.

This has never felt right. A lot of us at MetaMask, myself included, got involved in this industry due to its decentralized permissionless promise, not to become de-facto gatekeepers. To remedy this problem to a degree, we worked with Keystone to integrate a permissionless method of integrating hardware wallets into MetaMask via QR codes. Now as long as a third party hardware wallet manufacturer can adopt this QR code connectivity standard (ERC-4527) they can integrate with MetaMask without ever engaging with us. Gone was the temporary role of being a hardware wallet integration gatekeeper.

Although our industry never sits still.

Account Management Snaps As The Future

Over the past few years our industry has seen huge advancements in account management. Multi-Party Computation (MPC) has become quicker and more performant to allow the generation of cryptographic keys across different nodes: eliminating single sources of failure in certain contexts. Smart contract accounts are also becoming more accessible and cheaper via various Ethereum scaling solutions and improvements in line with ERC-4337: say hello to social recovery and biometric signing. Hardware wallets also continue to develop: see the recent announcements of the new Ledger Stax, Trezor Safe 3, and Keystone 3 Pro.

Again, it’s impossible for one team to integrate and then maintain all of these account management solutions. Moreover, betting on a single solution is probably just as unfeasible, given the rapid pace of our industry and the diverse needs of the next billion blockchain users that MetaMask aims to serve.

The only way to begin imagining how to integrate all of these different account management solutions is to make the wallet more community driven, by reinventing the software of the wallet entirely, which is precisely what MetaMask Snaps does. In the words of MetaMask's co-founder Dan Finlay an end goal of MetaMask Snaps is "permissionless computing". This is a lofty goal when making a security-sensitive product, but it’s perhaps the only way to drive MetaMask towards the vision of creating a gateway to web3 for everyone.

Today marks a critical milestone in that journey as we enable new Snap APIs to enable community driven features around one of the most important components of any wallet – account management – to start chipping away at the problems associated with the Secret Recovery Phrase.

To enable new account management experiences we’re launching the powerful Keyring API today in MetaMask Extension, which any developer can use to bring their account management ideas to MetaMask. Launching any product update like this is daunting, which is why today also marks the beginning of our Experimental Beta program for Account Management Snaps. We didn’t want to continue building out this functionality behind closed doors, so if you’re a power-user comfortable testing out advanced features, we invite you to test out our first three Snaps in this category (Silent Shard, Safeheron, Capsule) and to let us know what you think.

Account Management Snaps In Action

You can install these new Snaps via the official MetaMask Snaps Directory, however you can also go to the Experimental Settings in the MetaMask Extension to test a new Account Management Snap interface. Once an Account Management Snap is installed and set up, it will appear in your MetaMask Account List and function like any other account in MetaMask, such as allowing you to transact and interact with dapps.

Please note that all Snaps are third-party services and are used at your own risk. However, we're excited by what the community has already created. The first version of the Keyring API is particularly well-suited to Multi-Factor Authentication experiences powered by MPC, reducing the single point of failure limitation of the Secret Recovery Phrase.

Silent Shard

Silent Shard creates a two-factor-authentication experience with MetaMask’s Extension and a companion smartphone app. For added usability, you can save a part of your private key in your Apple or Google password manager.

Install Snap

Safeheron

Safeheron is a 2/3 multi-factor-authentication experience between MetaMask Extension and two smartphone apps. For added security, all communication is secured over the Local Area Network (LAN).

Install Snap

Capsule

Capsule secures your new MetaMask Extension account’s private key with a convenient and secure passkey. You can also connect this account with any other Capsule account created on a third party website.

Install Snap

Security

We currently require all Snaps that integrate with MetaMask Extension to have completed an independent code audit on their Snap. For Account Management Snaps we’re also requiring an additional audit on their MPC code (or equivalent like a smart contract of hardware wallet) with that being made publicly available as well. Over time we’ll eventually get towards a true permissionless ecosystem and if that is something important to you today, we recommend our developer-centric product MetaMask Flask.

It’s also worth confirming that the Keyring API has an architecture where these Snaps cannot access your existing MetaMask Secret Recovery Phrase. These new Snaps must either generate an entirely new private key or derive an entirely new private key from your Secret Recovery Phrase that prevents them from accessing other Ethereum accounts. Account Management Snaps also benefit from the secure sandboxed execution environment that all Snaps run in.

Next Steps

We're thrilled about today's release, and this is just the beginning. We’re confident that the first Snaps to use the new Keyring API will continue to improve, and we’re also planning to enhance the Keyring API itself. We’re currently hard at work enabling the sending of userOps to support ERC-4337 smart contract accounts, and we’re experimenting with Snaps on mobile too.

Starting today, if you’re a power-user looking to experiment with new features, you should download the latest version of MetaMask Extension and give Account Management Snaps a whirl. If you're a developer interested in building with us, check out the Keyring API docs. If you have a concrete Account Management Snap idea, we'd love to hear about it. Lastly, please share your thoughts about this entire feature release via our feedback form.

Let’s start solving the problems associated with the Secret Recovery Phrase together.