Neo Drops NEP-20: Your Wallet Address Just Replaced Your Password (Finally)

Neo co-founder Erik Zhang has finalized NEP-20, an authentication standard that lets users log in to websites, games, and applications using their Neo wallet. The standard defines a Challenge/Response protocol for address-based identity verification, aimed at eliminating usernames, passwords, and separate account registration. After several years in the works, NEP-20 has reached "Accepted" status in the Neo Enhancement Proposals repository. Basically, your 34-character string of alphanumeric chaos is now your golden ticket to the internet. Password managers are crying in a corner somewhere.

The standard was first proposed in March 2021, with active review and revisions resuming in late March 2026. Contributors from across the Neo developer community helped finalize it. Five years of arguing about signature algorithms and nonce implementation, and somehow nobody threw a chair. Impressive discipline from the Neo crew.

The Problem with Platform-Controlled Identity

Most internet applications tie identity to the platform. Users create accounts managed by the service, credentials sit on the service's servers, and users have only indirect control over their own identity data. This creates two recurring issues: centralized security risk (a single breach can expose an entire user base) and fragile dependence on third-party login providers whose APIs, policies, and availability can change without warning. It's like letting your landlord hold your ID and hoping they don't get hacked at 2 AM. Spoiler: they always get hacked.

Services like "Sign in with Google" were designed to simplify onboarding, but applications often still require users to bind a phone number or email afterward because no product can fully trust an external identity solution it doesn't control. So much for frictionless. You wanted one-click login? Cool, now give us your phone number, mother's maiden name, and a blood sample. We're basically building digital fortresses on quicksand and calling it progress.

How NEP-20 Works

NEP-20 shifts authentication from platform verification to user proof. Instead of a centralized service confirming identity, users prove ownership of their Neo address directly through a cryptographic signature. No middleman, no database of passwords waiting to become tomorrow's headline breach. Just you, your private key, and the cold, beautiful mathematics of ECDSA.

The process follows a Challenge/Response interaction: 1) The application server generates a Challenge payload, a structured JSON request containing the server's domain, a one-time nonce (a random number valid for a recommended five minutes), a timestamp, supported signature algorithms, and the Neo network identifiers the authentication applies to. 2) The user's wallet presents key details for confirmation, including the requesting domain and action. If the user approves, the wallet signs the Challenge data and returns a Response payload containing the user's public key, address, nonce, timestamp, and signature. 3) The application verifies the signature against the returned public key and address, checks that the domain, nonce, and timestamp are valid and consistent, and, if everything matches, completes authentication. It's like showing your ID, but the ID checks if the bouncer is actually the bouncer before showing up. Mutual suspicion: the foundation of secure relationships.

No password is transmitted, no credentials are stored on the server, and no on-chain transaction is required. Identity is proven through a valid signature alone. The server doesn't know your secrets. It just knows you know math. And in crypto, that's basically a marriage certificate.

Security Model

NEP-20 incorporates several constraints to prevent common attack vectors. Domain binding requires the Challenge to include the server's domain, which the wallet must verify and display to the user before signing, mitigating phishing and cross-site misuse. Nonce expiration ensures each authentication request uses a unique, time-limited random number, and the server must prevent nonce reuse, blocking replay attacks. Timestamp validation in both the Challenge and Response allows each side to verify time synchronization and detect stale or replayed requests. Signature verification requires the app to approve that the signature matches the returned public key. Explicit user consent requires the wallet to display critical information and obtain user confirmation before producing a signature. The currently supported signature algorithm is ECDSA-P256, though the standard's allowed_algorithms field is designed as an array to accommodate future additions. Basically, they built a security system where everyone has to prove they're not a scammer, repeatedly, with a timer. Healthy paranoia: the crypto way.

Three Interaction Modes

NEP-20 defines three scenarios for user and application interaction during authentication. In QR Code Mode, a website displays a QR code encoding the Challenge payload. A user scans the code with a mobile wallet, confirms the login on their device, and the wallet sends the signed Response to a callback URL provided in the Challenge. This enables cross-device authentication, allowing a user to log in to a desktop session from a mobile phone. It's like magic, except the magic is just math and slightly awkward camera angles at coffee shops.

In Plugin Mode, a browser extension wallet detects whether a website supports NEP-20. The website's frontend requests a Challenge from its server, passes it to the wallet's authenticate method, and the wallet verifies the domain, prompts the user, and returns the signed Response. This enables seamless, near-automatic login for users with compatible browser wallets. One click. Maybe two if you're paranoid. The dream is real, and it lives in your browser extensions folder.

In Connection Mode, the protocol works over persistent connections. A game client or command-line tool connects to a server, receives a Challenge, signs and returns a Response, and proceeds with the session if authentication succeeds. This covers native applications, backend services, and CLI tools that do not operate in a browser. For the terminal gangsters who'd rather type "neo-cli auth" than touch a mouse. We see you, keyboard warriors.

Design Decisions

A key design choice in NEP-20 is that it operates entirely off-chain. The standard supports only standard single-key Neo accounts (System.Crypto.CheckSig), which represent the vast majority of Neo addresses. During the review process, Neo SPCC suggested extending support to multi-signature and script-based accounts. Zhang responded that he does not intend to support addresses other than System.Crypto.CheckSig here, as doing so would mean NEP-20-enabled applications would need to run a NEO node, or at least a trusted RPC server, which is currently unacceptable for traditional applications or gaming platforms. We need a fully off-chain authentication scheme. Translation: we want your grandma to be able to log into her farming simulator without spinning up a blockchain node. The bar for "traditional applications" is tragically low, and Zhang gets it.

The standard's grant_type field, currently set to "Signature," is designed to be extended in the future to support additional authentication methods, leaving the door open for script-based verification in later iterations. One day, maybe your multi-sig can log you into things. Today, it's just the basics. Slow and steady wins the standardization race.

Possible Use Cases

NEP-20 is designed to function as a universal authentication layer across different environments. Web applications can offer wallet-based login alongside or in place of traditional credentials. Games can authenticate players without requiring a separate account system. Backend services and CLI tools can integrate wallet signing directly. The NEP-20 standard's network field uses magic numbers from Neo's ProtocolSettings, enabling applications to support authentication across multiple Neo networks within a single implementation. Imagine logging into your favorite game with the same wallet you use for DeFi, without creating another account with a password you'll definitely forget. The future is weird, and it's passwordless.