MetaMask Login | send/receive Ethereum securely

MetaMask is merely storage, and cannot read who is using the service, nor the content of the configurations,

MetaMask Login | send/receive Ethereum secur

Notifications and user storage privacy approach

Information on the new authentication, notifications, and user configurations storage features available on MetaMask Portfolio.

What are the benefits of logging in on MetaMask Portfolio?

Logging into MetaMask Portfolio improves your experience by enabling you to:

• Receive notifications about your wallet activity

• Sync your user configurations and settings across the different devices where you have MetaMask installed. Over time we will start to backup and cross-sync your address book, transaction history, imported tokens, and watched addresses

• Back up your configurations for when you change or reset your browser

How does this respect my privacy as a MetaMask user?

Your settings are synced without compromising the confidentiality of your MetaMask activity. Instead of web2-like architectures, where service providers host user data, we use a privacy-first approach where your information is encrypted on the client-side (i.e. locally, on your device), and the server acts as storage and relayer of encrypted data. MetaMask, therefore, has zero visibility of which users or addresses are using this service, and how.

How does the login work?

When you attempt to sign into MetaMask Portfolio, your MetaMask wallet will ask you to sign a message with your address to prove that you own that account. After signing, you will be logged into MetaMask Portfolio with that account address. We use a standard Sign-In with Ethereum flow. Our server receives the signed message and your address, checks the signature, hashes the address together with a salt (a random value) to generate your AccountID, and then forgets the address. The server signs your AccountID and emits a JSON web token (JWT) that the client can use to access MetaMask services, like the user configurations storage or notifications. Since the address is not stored and the AccountID hash is not reversible, MetaMask doesn’t know who and which addresses have logged in.