MetaMask is the world's leading self-custodial crypto wallet and gateway to decentralized finance, built by Consensys.
Read all articlesA crypto wallet doesn't hold cryptocurrency. It holds the Private Keys that prove ownership. Understanding what that means is the first step to using crypto safely.

A crypto wallet is software or hardware that stores the passwords (aka Private Keys) used to send, receive, and manage cryptocurrencies. The wallet does not hold the cryptocurrency itself; those assets live on the blockchain, a distributed ledger maintained by a global network of computers. The wallet holds the cryptographic credentials that control these digital assets.
This guide covers the fundamentals about crypto wallets: how crypto wallets work, what a Secret Recovery Phrase does, who controls the funds in it, and what types of wallets exist.
Disclaimer: This content is for educational purposes only. It is not financial advice, not a solicitation, and not for UK audiences. Cryptocurrency wallets and digital assets are risky and not suitable for all users.
Every crypto wallet relies on two pieces of cryptography: a Public Key and a Private Key.
A Public Key works similarly to a bank account number. It generates wallet addresses—the long strings of letters and numbers used to receive funds. Public keys and addresses can be shared freely. Anyone can send cryptocurrency to a public address without gaining any control over the wallet.
A Private Key works like the password to that account. It's a randomly generated string (typically 256 bits for Ethereum and Bitcoin) that mathematically corresponds to the Public Key. Whoever holds the Private Key can sign transactions, which means they can move, spend, or interact with assets tied to that key pair. There is no password reset. No customer support line. No central authority that can recover a lost Private Key.
The relationship between the two keys is one-directional. Deriving a Public Key from a Private Key is easy. Reversing the process—guessing a Private Key from a Public Key—is computationally impossible with current technology. That asymmetry is what allows blockchain ownership to work without a bank or intermediary.
When someone sends crypto from one address to another: the wallet uses the Private Key to create a digital signature authorizing the transfer. That signed transaction is broadcast to the blockchain network, verified by nodes (computers that validate transactions), and permanently recorded. The wallet itself is the interface that makes that process manageable; it stores the key, constructs the transaction, and communicates with the network.
A simple example: sending 0.5 ETH to a friend. The user opens their wallet, enters the friend's public address, specifies 0.5 ETH, and confirms. Behind the scenes, the wallet constructs a transaction, signs it with the Private Key, and submits it to the Ethereum network. Nodes verify that the signature is valid and that the wallet holds enough ETH to cover the transfer plus network fees (the small cost paid to the network for processing the transaction). Once confirmed, the blockchain records the transfer permanently. The whole process typically takes 15–30 seconds on Ethereum.
The key point for beginners: a self-custodial crypto wallet is a key manager. Protect the key and the assets are safe. Lose the key and the assets are gone.
Most self-custodial wallets—wallets where the user holds the Private Keys, not a company or exchange—don't require users to handle raw Private Keys directly. Instead, when the wallet is created, it generates a Secret Recovery Phrase—a sequence of 12 or 24 English words selected from a standardized list defined by BIP-39 (a widely adopted Bitcoin Improvement Proposal).
The Secret Recovery Phrase is a human-readable version of a master seed, a single root value from which all of a wallet's Private Keys and accounts are mathematically generated. One phrase can produce an entire tree of accounts across multiple blockchain networks—which is why the same Secret Recovery Phrase, entered into any compatible wallet app, restores access to every account and asset derived from it.
In practice, here's what that looks like. When someone sets up a new self-custodial wallet, the app displays 12 or 24 words in a specific order and asks the user to write them down. The app then typically asks the user to confirm the phrase by entering some or all of the words back. That confirmation step isn't a formality—it's the last moment the wallet ensures the user has actually recorded the one thing that can recover their assets if anything goes wrong.
Custodial wallets—exchange accounts like Coinbase or Kraken—don't show a Secret Recovery Phrase. The exchange manages the keys internally, and the user logs in with a username and password like any other online account. The Secret Recovery Phrase only exists when the user holds their own keys.
That makes the Secret Recovery Phrase the ultimate backup, and the ultimate vulnerability. If a phone is destroyed, a laptop is stolen, or a browser extension is uninstalled, the phrase restores everything. If someone else gets this phrase, they can also control funds in the wallet.
Storing a Secret Recovery Phrase securely is the most important practice for self-custodial crypto wallet management:
Write it on paper or engrave it on metal for durability
Keep it in a physically secure location separate from the device the wallet runs on
Never type it into a website, share it in a message, or enter it anywhere other than a wallet app during recovery
Never store it in a screenshot, cloud note, email draft, or password manager
No legitimate wallet, support team, or blockchain protocol will ever ask for a Secret Recovery Phrase. Any message requesting it, regardless of how official it looks, is a scam. For MetaMask-specific guidance on backing up and revealing a Secret Recovery Phrase, see how to secure your Secret Recovery Phrase.
Who holds the Private Keys is the most consequential decision in crypto security.
Custodial wallets are managed by a third party—typically a centralized exchange such as Coinbase or Kraken. When someone buys crypto on an exchange and leaves it there, the exchange holds the Private Keys on the user's behalf, and therefore controls the funds inside the wallet. The experience looks like online banking: log in with a username and password, see a balance, make transactions.
The appeal is convenience. Password recovery exists. Customer support may be able to help with account access. The provider handles all the technical complexity of key management. For someone new to crypto, a custodial wallet removes the burden of securing Private Keys and a Secret Recovery Phrase.
The tradeoff is counterparty risk. Assets in a custodial wallet are only as safe as the custodian. If the exchange is hacked, freezes accounts, or goes bankrupt, users may lose access to their funds. The collapse of FTX in November 2022 left more than one million creditors unable to access their assets during a multi-year bankruptcy process.
Self-custodial wallets, like MetaMask, put the Private Keys entirely in the user's hands. No company holds the keys, no intermediary can freeze the account, and no third party can authorize or block transactions. The user controls the assets through their Private Keys and Secret Recovery Phrase—and only the user.
Self-custody is the model blockchain technology was built for. It removes counterparty risk entirely: there's no exchange to fail, no company to be hacked at the custodial level, and no terms of service that can restrict access. It also removes the safety net. There's no password reset for a lost Secret Recovery Phrase. No support desk can reverse a transaction sent to the wrong address. Self-custody means full responsibility.
The two models serve different needs, and understanding the tradeoff is more important than choosing a side. Custodial wallets trade sovereignty for convenience. Self-custodial wallets trade convenience for control. Neither is inherently better—what matters is knowing what each one asks of the user.
Key consideration | Custodial wallet | Self-custodial wallet |
Who holds the keys | A third party (exchange, provider) | The user |
Account recovery | Password reset, customer support | Secret Recovery Phrase only—no external recovery |
Counterparty risk | Yes—provider can be hacked, freeze accounts, or fail | No third-party dependency |
User responsibility | Lower—provider manages key security | Higher—user manages keys, backups, and device security |
Blockchain access | Limited—transactions route through the provider | Full—direct interaction with apps, DeFi, and smart contracts |
For most people the choice isn't binary. Someone might keep a trading balance on an exchange for convenience while holding long-term assets in a self-custodial wallet. What matters is understanding what each model trades away.
Crypto wallets come in several forms based on their connectivity and device. This section covers what each type is and when it's used. Mobile crypto wallets
A mobile wallet is a smartphone app that stores Private Keys on the device, protected by biometric authentication (fingerprint or face recognition) and device-level encryption. Mobile wallets are the most portable form factor; they're available everywhere the phone goes, with features like QR code scanning, in-app decentralized app browsing, and token swaps built in.
The tradeoff: phones can be lost, stolen, or compromised. Keeping the operating system updated, using strong device authentication, and maintaining a secure offline backup of the Secret Recovery Phrase are essential. Desktop crypto wallets
A desktop wallet is a standalone application installed on a computer's operating system. It functions similarly to a browser extension but runs independently of the browser, which can offer more control over storage and a larger interface for complex portfolio management. Desktop wallets are less common than browser extensions for dapp interaction but remain popular for Bitcoin-focused workflows and users who prefer a dedicated application.
A browser extension wallet installs into Chrome, Firefox, Brave, or Edge and runs as a small application accessible from the browser toolbar. It injects a connection layer into web pages, which is how it communicates with decentralized apps (aka dapps)—DeFi protocols, NFT marketplaces, decentralized exchanges, and any other blockchain application that prompts a "connect wallet" button.
Browser extensions are the default wallet type for desktop DeFi and app interaction. When an app requests a transaction, the extension shows what the transaction will do—which tokens are involved, what smart contract is being called, whether a token approval is limited or unlimited—and the user confirms or rejects before anything is signed.
A hardware wallet, aka a cold wallet, is a dedicated physical device—typically USB-connected or Bluetooth-enabled—that stores Private Keys on an isolated secure element chip. The keys are generated inside the chip and never leave it, even when the device is connected to a computer. When a transaction needs signing, the request is sent to the device, displayed on its own screen for verification, and signed internally. Only the signed transaction is returned to the connected computer—not the Private Key.
Because the keys never touch an internet-connected environment, hardware wallets are immune to remote attacks like malware, phishing, and keyloggers. Ledger, Trezor, and Keystone are the most widely recognized manufacturers, with devices typically costing $60–$200.
Hardware wallets pair with software wallet interfaces for the strongest combination of security and usability. For example, connecting a Ledger device to MetaMask Extension, lets users browse applications and sign transactions through the browser while the Private Keys stay on the hardware device.
Choosing the right wallet depends on how you plan to use crypto.
New to crypto and learning how it works. A custodial account on a regulated exchange can offer a low-friction starting point. The exchange handles key security and provides familiar account recovery. The tradeoff—counterparty risk—is worth understanding even at this stage, because it shapes every decision that comes after. Some self-custodial crypto wallets, like MetaMask, offer beginner friendly apps that are geared towards users of every level.
Ready to take ownership of assets. A self-custodial software wallet—browser extension for desktop DeFi or mobile app for everyday access—provides direct blockchain interaction with manageable setup. The critical step is backing up the Secret Recovery Phrase properly. Everything else in self-custodial security builds on that foundation.
Holding significant value or storing assets long-term. Adding a hardware wallet removes internet-connected attack surfaces entirely. Pairing it with a software wallet interface delivers both security and usability. The general principle: if losing the assets in the wallet would cause meaningful financial harm, the $60–$200 cost of a hardware device is worth it.
Active blockchain user. Swapping tokens, providing liquidity, minting NFTs, and interacting with DeFi protocols require a browser extension wallet connected to the relevant networks. Pairing with a hardware wallet means active DeFi participation can still benefit from offline key security.
Many experienced users run multiple wallets across categories: a custodial exchange account for fiat onramps, a software wallet for app interaction, and a hardware wallet for cold storage. The combination matters more than any single choice. What changes over time is the balance—beginners typically start with a custodial account, move to a software wallet as they gain confidence, and add hardware when the stakes justify it.