Quick orientation

MetaMask is a self-custody Ethereum-compatible wallet used as a browser extension and mobile app. It stores your private keys locally, allowing you to interact with decentralized applications (dApps), sign transactions, and manage tokens. Because MetaMask gives direct control over assets, login safety and key management are paramount. This guide gives a comprehensive, practical walkthrough you can apply immediately.

Immediate action: if you haven't backed up your MetaMask seed phrase (12-word recovery phrase), do it now — losing that phrase means losing access forever.

What "login" means for MetaMask

Unlike custodial platforms, MetaMask doesn't authenticate you to a central server — it unlocks a local wallet using a password that decrypts your seed phrase/private keys stored in the browser or app. "Logging in" typically means unlocking your extension or app with your password or biometrics (mobile). Always understand that the real secrets are the seed phrase and private keys — protect them.

Installing MetaMask & creating (or importing) a wallet

Browser extension

  1. Install MetaMask from the official source: visit https://metamask.io and follow the link to your browser's extension store.
  2. Add the extension and pin it to your toolbar for quick access.
  3. Open MetaMask, choose "Create a Wallet" or "Import Wallet" if you already have a seed phrase.
  4. When creating, write down the 12-word seed phrase exactly and store it offline (paper, safe). Confirm by entering the words when prompted.
  5. Create a strong local password to unlock the extension on your machine.

Mobile app

  1. Install the MetaMask mobile app from the App Store or Google Play (verify the developer: ConsenSys).
  2. Open, choose Create or Import, and follow the same seed and password steps. Enable biometrics for convenient unlocking.
Never share your seed phrase, private key, or password. MetaMask support will never ask for them. Treat the seed like the master key to your funds.

Unlocking MetaMask & session considerations

To use MetaMask you unlock the wallet locally. On the extension, the wallet remains unlocked until locked manually or until your browser restarts (depending on settings). On mobile, you unlock with password or biometrics. Configure auto-lock timeouts and lock on browser close to reduce exposure if someone else uses your device.

Recommended session settings

  • Set an auto-lock timeout (e.g., 5–15 minutes) for the extension if you step away from your computer frequently.
  • Enable lock on browser close where available to force re-authentication after restarts.
  • Use biometric unlock on mobile for convenience but keep a secure, strong password as the root recovery method.

Seed phrase & private key safety — absolute priorities

The seed phrase (12 or 24 words) is the canonical recovery mechanism. Whoever has that phrase controls the wallet. Protect it like you would a physical vault key.

Secure storage recommendations

  • Write it on paper: store the paper in a safe or safety deposit box. Consider multiple geographically separated copies for disaster resilience.
  • Steel backups: for long-term durability, record the seed on a steel backup device that survives fire and water.
  • Encrypted backups: if you store digitally, use a hardware-encrypted drive with a strong passphrase — but offline physical copies are preferable.
  • Never store unencrypted copies in cloud drives, screenshots, or email drafts.
If your seed phrase is compromised, immediately move funds to a new wallet with a new seed phrase. Do not reuse the same seed or derivations of it.

Hardware wallet integration (recommended for large balances)

MetaMask supports connecting hardware wallets (e.g., Ledger, Trezor). Hardware wallets keep private keys offline and require physical confirmation for signing — vastly improving security against remote attacks.

How to connect

  1. Plug in or pair your hardware wallet and open the MetaMask extension.
  2. Choose "Connect Hardware Wallet" from MetaMask’s account menu and follow prompts to select your device and account(s).
  3. When you sign a transaction, confirm on the hardware device physically — this prevents silent signing by malicious sites.
Best practice: keep your primary operational wallet (small amounts) in MetaMask + hardware wallet for signing, and store the majority of funds in a separate cold wallet or multisig setup.

Connecting to dApps & permissions hygiene

MetaMask acts as the bridge between your wallet and web applications. When a dApp requests access, MetaMask prompts you to approve which account and which permissions (connect, sign messages, sign transactions).

Permission checklist before connecting

  • Verify the dApp URL — prefer bookmarks or direct typed URLs rather than email links.
  • Check the requested permissions: connecting is one thing; allowing token approvals or spending approvals is another.
  • Limit approvals: when approving ERC-20 token allowances, prefer limited allowances or use a spender-approval revocation tool afterwards.
  • Use separate addresses for different dApps when possible to reduce exposure.
Never approve a transaction if the parameters (destination address, amount, gas) look unfamiliar. Attackers often use deceptive UI to trick users into approving malicious transfers.

Token approvals & revocation tools

ERC-20 and ERC-721 approvals allow contracts to move tokens on your behalf. Regularly audit and revoke approvals you no longer need to minimize attack surface.

How to review and revoke

  • Use reputable tools (Etherscan token approval checker, Revoke.cash, or similar, carefully verifying the site) to list active approvals.
  • Revoke unneeded approvals or reduce them to minimal amounts.
  • If you ever suspect a malicious approval, revoke it immediately and consider moving assets to a new wallet.
Be cautious: only use well-known approval-revocation services and verify HTTPS and domain authenticity before connecting your wallet.

Phishing & social-engineering — practical defenses

Phishing is the most common initial attack vector. Attackers replicate dApp UI or send fake update notices that cause users to reveal seeds or approve malicious transactions.

Quick anti-phishing checklist

  • Never enter your seed phrase into a website, extension, or chat — only into MetaMask’s secure recovery field when importing a wallet.
  • Don’t follow random links asking you to "connect" or "recover" your wallet. If in doubt, navigate directly to the site via bookmark.
  • Use a separate browser/profile for Web3 activities and avoid installing unknown extensions in that profile.
  • Consider MetaMask’s phishing detection settings and browser safety extensions for added warning layers.
If you ever accidentally paste your seed phrase into a page or extension, consider the wallet compromised — move funds to a new wallet immediately.

Recovery & emergency response

If you lose access to MetaMask or suspect compromise, act quickly and deliberately.

Immediate steps if compromised

  1. Move remaining funds to a fresh wallet with a newly generated seed (using a secure, uncompromised device and preferably a hardware wallet for the destination).
  2. Revoke approvals associated with the old wallet where possible.
  3. Change any associated account passwords and remove linked browser extensions that may be malicious.
  4. Contact projects or services where funds were staked or locked to inform them — sometimes pausing or recovering funds is possible if action is prompt.
Plan ahead: practice recovering a small test wallet and moving funds. Familiarity reduces panic during a real incident.

Troubleshooting common MetaMask issues

Extension not loading

  • Reload your browser and ensure the MetaMask extension is enabled.
  • Clear browser cache or try a fresh browser profile dedicated to Web3.
  • Update or reinstall MetaMask from the official site if problems persist.

Can't sign transaction

  • Confirm the network selection in MetaMask matches the dApp (e.g., Ethereum mainnet vs a testnet).
  • Check for hardware wallet confirmation prompts if using a connected device.
  • Ensure you have sufficient native token (ETH) to pay gas fees on the network.

Missing tokens

  • Custom tokens must sometimes be added manually by contract address if MetaMask doesn't auto-detect them.
  • Check transaction histories on a block explorer to confirm balances and token transfers.

Everyday best practices — checklist

  • Use a hardware wallet for signing when managing large balances.
  • Keep seed phrase offline and secured (steel backup recommended for long-term storage).
  • Use separate wallets for different activities (trading, long-term holding, staking).
  • Audit approvals monthly and revoke unneeded permissions.
  • Use a dedicated, minimal-extension browser profile for Web3.
  • Test sending small amounts before large transfers to unfamiliar addresses or contracts.
Small habit: set a calendar reminder to review wallet approvals and connected sites every 30 days — it takes 10 minutes and prevents many problems.

Frequently asked questions

Is MetaMask custodial?

No — MetaMask is non-custodial. You retain control of your private keys and seed phrase. That means you’re responsible for keeping them safe.

Can I use one seed across devices?

Yes — importing the seed into another MetaMask instance will restore access. But avoid using a compromised device to restore; use a clean device and consider hardware wallets for signing.

What if I lose my seed phrase?

If you lose the seed and do not have any other backup, you cannot recover your wallet — custody of the assets is lost. That’s why secure backups are critical.

Final notes & next steps

MetaMask is powerful and convenient for Web3 — but with that power comes responsibility. Protect your seed phrase, prefer hardware signing for valuable assets, stay skeptical of unsolicited links and approvals, and regularly audit your wallet permissions. Small, consistent habits protect you far more than one-time heroics.

Open MetaMask MetaMask Help Center