Authentication Without Passwords

The password represents one of the weakest links in the cybersecurity chain, and is frequently one of the opening points of an attack.  Passwords can be collected in cleartext through phishing exploits such as an email link that directs you to a fake login page, or social engineering ploys such as bogus calls from “IT” or “tech support,” or keylogging software that captures the entire user name/password/web address triad.  Passwords can be cracked online using brute-force or password spraying attacks.  Passwords can be cracked offline using stolen web site databases of user names and hashed passwords.  Hashed passwords can be replayed using techniques such as “pass the hash.”  On its own, a password no longer represents a strong form of security.  The only factor that improves the strength of a password is length, but password length is no protection against cleartext password harvesting methods.

One of the better ways to strengthen a password is to couple it with a second authentication factor.  Two factor authentication combines something you know, like your password, with something you have, like a code from an authenticator app, or something you are, like a fingerprint.  Other factors include somewhere you are, a location based factor, or something  you do, such as typing cadence or mouse movements.

Replacing the password entirely with something else has gotten a lot of attention lately, and there are several methods currently available or under development that show some promise.

  • Microsoft’s authentication PIN – In Windows 10, users have the coice of authenticating to their computer using their Microsoft account user name and password, or a PIN.  The PIN is a number or combination of numbers and letters at least 4 characters long.  I recommend something longer, like 6 or 8 characters.  The PIN is stored locally on the computer’s Trusted Platform Module chip, and only opens your computer.  You have to be physically present at the computer.  Using the PIN enables other security features such as Microsoft Hello, and biometric authentication.  The PIN does not provide access to your other Microsoft account features such as your email, Skype, or OneDrive accounts, like your Microsoft account credentials do.  After some initial resistance, I have begun to recommend this to my clients.  If you want to switch to using a PIN, there are good instructions on How To Geek.
  • Biometrics – Fingerprint readers are becoming common for phones, tablets, and even laptops, and when coupled with a strong PIN, can provide decent security for device access.  Facial recognition is another option that is also improving over time, and is becoming harder to spoof with just a picture.
  • Chip and PIN – First used in credit cards, this is turning up in other applications including Estonia’s national identity card.  The chip presents an randomly generated number that changes with each use, and the PIN confirms the cardholder.
  • Push notifications – This method requires only a user name, and the authentication page sends a push notification by MSM text, or email with a one-time link to complete the authentication process.  One problem is that the communication channel (text or email) are usually not encrypted, and if intercepted can be used by an attacker.  Unfortunately this can happen through SIM cloning or email account hijacking.
  • Behavioral traits – Each of us has a unique way of doing things.  Behavioral recognition takes simple acts such as typing cadence, mousing style and combines that information with other factors (such as location) to authenticate a user to a system or network.

If you are looking for alternatives to the password for the users on your network, this gives you a place to start.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.