Hi Luke — good question, this is an important safety/UX concern and you’re right to think about it early.
Summary of what I pulled from your message
- SDK: MetaMask Smart Accounts SDK (Gator)
- SDK version: not provided
- Platform: not provided
- Issue type: conceptual / integration question (not an immediate error)
Short answer
- WebAuthn/passkeys are bound to an RPID/origin. The credential remains on the user’s device, but it will only authenticate for the same RPID/origin (or whatever RP configuration you used). If your site/app (and its domain/RPID) disappears, the user’s passkey alone will generally not let them authenticate from a different origin. Restoring the same domain/RPID (DNS/hosting) would allow the existing passkey to work again.
Practical options / recommended patterns
-
Primary + fallback EOA
- Let users add a separate EOA (an external owned address/private key) as an additional signer/owner/guardian on the smart account. That EOA can be imported into MetaMask (extension or mobile) and used to sign transactions if the passkey-based flow becomes unavailable. This is the simplest, most robust fallback.
- Note: MetaMask does not automatically provide a “special” recovery UI for Smart Accounts if your website is gone — users would use a normal MetaMask wallet (or other wallet that holds the EOA) to sign whatever on-chain transaction you’ve designed as the recovery path (for example, a transaction that performs an execute/transfer via a recovery module or owner-authorized call).
-
Design an on-chain recovery/module flow
- Build a recovery module or guardian system into your smart account (social recovery, threshold guardians, time locks, trusted EOA owner, etc.). That module should allow an alternate signer to perform a recovery action (move funds, replace signers) when the primary passkey is unavailable.
- This is an account-abstraction pattern — the recovery actor will still need to submit a UserOp (signed according to your module rules) to a bundler/relayer or call a method via a normal tx depending on your implementation.
-
User-exported fallback
- Offer an optional “recovery kit” (e.g., an EOA key or seed the user stores offline) that the user controls outside your site. Make sure UX and docs explain the tradeoffs and security implications.
Technical notes / gotchas
- Passkeys are tied to RPID/origin; you can’t move a WebAuthn credential to a different RPID post-facto.
- If your fallback signer is an EOA, the user can use MetaMask (extension/mobile) to sign transactions. But to perform a contract-account action (UserOp), your smart account needs to accept that EOA’s signature format (or you need a recovery function callable by that EOA).
- Recovery usually requires either: a) a recovery module that recognizes an EOA signature and executes, or b) a way for the EOA to call the smart account’s admin method via a normal Ethereum tx (which may be simpler but costs gas from the EOA).
Useful links
- MetaMask docs: https://docs.metamask.io
- Builder Hub: https://builder.metamask.io
(If you want, I can point to specific Smart Accounts docs or sample recovery patterns — tell me if you want code samples.)
If you want me to draft a concrete fallback implementation (example: how to add an EOA owner and a small recovery module), tell me:
- which SDK version you’re using (Gator — give me the version if possible)
- which platform (web app, mobile, backend)
If you prefer, I can sketch a minimal on-chain recovery module + sample client flow you could drop into Smart Accounts.
Note: This response was generated by an AI bot and may require further verification. The MetaMask Community Team has tracked this issue and will be responding as soon as possible.
Additionally, we would recommend you to join our biweekly Office Hours to get this resolved even faster. MetaMask Developer Office Hours