MetaMask's Taylor Monahan Talks Safety, Scams and Seed Phrases
Get caught up on developments at MetaMask from a crypto OG
At just about every crypto conference there’s a keynote about onboarding the masses into web3, followed by a common complaint: we need to fix the problem of wallet complexity. For mainstream users, self-custody is a foreign concept. As a society, we’re used to middle-men, recovery processes or reset buttons.
Taylor Monahan has been working on the wallet problem since 2015, when she built a little tool that allowed her and a couple of friends to move their Ethereum. That “very simple, very ugly product” turned into MyEtherWallet.
“It turned into a real product with a team, but we never really got the company stuff,” she said to me recently. “Me and my original co-founder went our separate ways, and MyEtherWallet became MyCrypto. We experienced this exponential growth phase, serving, let’s call it, the advanced power user base of Ethereum.”
MyCrypto enjoyed a decent number of users, but it was nothing compared to MetaMask’s growth spurt. Monahan was buddies with MetaMask Co-Founder Dan Finlay and had always hung out with the crew. MetaMask went from one million to 30 million users in a short period of time.
“The team was growing, ConsenSys was growing, MetaMask was growing, the product was growing, and the amount of scams we were seeing was growing,” Monahan said. “So, at the beginning of 2022, we officially merged MyCrypto and MetaMask. My original team is dispersed across MetaMask. Since then, the growth has been insane.”
MetaMask wallet numbers grew to 115 million active users in 2022 - a 54 percent increase from 2021.
All of Monahan’s focus is now on making MetaMask better and safer. Since the merger the market’s gone down and Monahan was looking forward to chilling and building. It’s hard to roll-out new features and functionality when you have millions of active users.
On paper, Monahan is MetaMask’s lead product manager, although she’s not one for fancy titles. “When I first joined MetaMask, Dan was about to have his first child and he wanted to take a break. I was sort of the stand-in for Dan and leading the teams,” she said. Now, her role is more hands-on, working with security, customer support and user-safety teams to improve the product overall.
It’s a good connection between the people at MetaMask who know the security landscape from personal experience and the developers building new features, she said.
Playing Whac-a-Mole with scammers
It’s a critical job if the goal is to bring one billion users into web3. It’s a delicate dance between self-custody and safety – and scammers sure know it. So much of what we’re doing in web3 is different to what people are used to. Monahan has been most shocked by the clever and creative ways hackers are tricking, deceiving, scamming and stealing from users. She said it’s very important to be able to ship product features in response to attacks as quickly as possible, she said. As he perfectly described it, it’s a game of Whac-a-Mole.
From low-brow phishing scams to full-blown schemes, “it’s the diversity and dedication of these attacks that’s mind-boggling,” she said.
“We have to educate people not just about any one single, little aspect of how they could lose their assets,” Monahan said. “More broadly, we need to teach people, to their core, what this industry is and what steps they need to understand in order to make the best decisions. Because if you tell someone like ‘oh, like, you know, that Nigerian prince scam is a hack,’ you can train people on that. But the scammers will just pivot and be like, ‘hi, I'm a prince from Mars today.’ And like, it'll bypass people's education.”
Monahan believes we’re going to see more voice phishing, or “vishing,” attacks thanks to AI. In response, MetaMask is working hard on security mechanisms to stop or slow down the scams. Various controls are helping – the live chat, asset rescue attempts, investigative partners and support from law enforcement. But, making self-custody safer requires a combination of tech advances, education, policing and the law.
When asked about the criticism that MetaMask isn’t as user-friendly as it could be, she said it’s not perfect. “What people don’t understand is that you can look at one piece of MetaMask or one problem and the solution is really obvious,” she said. “It’s easy to say, if they did this, that mistake wouldn’t be possible. They’re not wrong. However, there’s so many other things we have to consider.”
She continued, “at the core, one thing that’s fundamental to our entire existence is we want the user to be in full control and to be empowered. It’s a little tongue-in-cheek, but if MetaMask wants to reduce loss, the easiest way is not to allow anyone to send any transactions ever.”
Hopefully the days of losing seed phrases or getting scammed will be behind us soon, with various security mechanisms in the works that both give users more control and keep funds safe.
MetaMask Learn is a good example. “We have these super cool little simulations that you can click around your wallet, but it’s not your real wallet. These types of UI features help the user become more familiar with the core concepts and the product in a safe environment,” Monahan said.
There are a lot of initiatives in the pipeline for this year. MetaMask Snaps – a plug-in system for developers to extend MetaMask functionality – is currently in beta mode and is set to launch later this year. “It’s probably one of the most exciting things we’re working on in my opinion,” said Monahan. “The other focus is account abstraction and the delegation elements, which we’re thinking deeply about right now.”
In the broader Ethereum world beyond Metmask’s efforts, seed phrase recovery innovations and improving industry protocol layer standards, such as ERC 4337, are important.
These innovations, Monahan hopes, will transform the secret recovery phrase into something that’s not a single string of words but has full control over all the assets, as well as clarity around processes and protections.
“Ideally, in the future, we have a situation where you can lock down an NFT and say don’t let me send it unless I sign off on like three different devices or my friend signs off, too,” she said.