What are the alternatives to passwords?

Worrying news for IT professionals – not to mention anyone who trusts a big company with their data – as a survey found that one in seven employees would be prepared to sell their company password.

Many were prepared to sell their password for as little as $150, and the survey went on to note that more than 20% of employees routinely share passwords with each other. 56% also re-use their passwords across personal and corporate accounts. Such practices on the part of employees could play a significant role in data breaches and hacks – like Sony Pictures’ attack in 2014.

So, is it time for big companies – at the very least – to abandon weak password security? If so, what password alternatives are out there?

Two Factor Authentication

Not an alternative to passwords, so much as an advancement, Two Factor Authentication – or 2FA – requires users to enter a unique code sent to a second email address of mobile number in order to log in alongside the password. Many high profile sites offer 2FA including Gmail, Twitter, Dropbox and the Steam gaming platform. You can read more about 2FA here, or watch the short video below which explains how Twitter integrated it into their site.

A personal USB key

Google – which has already been a leading voice in establishing two-factor identification – has been working on personalized USB keys as a password alternative. Simply plug your key into the PC you need to use, and it loads your profile. According to Google, a Chrome extension is already primed to work with such keys, meaning all your online logins could be stored within the master key – no more typing in passwords on any website, in theory. Communication between the browser and the key is said to generate no information that could be used to impersonate the user if intercepted.

Your heart on your wrist

Nymi Band_3 Colours

The Nymi wristband looks like a lot of other wearable tech – but instead of counting your steps, it’s measuring your pulse. The precise, unique rhythm of your heart can be used as an alternative to a password, identifying you wirelessly not just to your computer, but potentially to your car, your house, and in stores for making payments. It might sound far-fetched but it’s not such a jump to combine a heart-rate monitor with NFC communication.

Next-generation biometrics

Forget iris or fingerprint ID as password alternatives – the latest thinking in biometric identification covers a fantastic range of possibilities. Descartes Biometrics makes an app called Ergo, for Android, which it claims can use the shape of your ear to identify you – simply by pressing it against the screen as you might during a phone call.

walking feet

Other concepts in biometrics include measuring your gait – perhaps not as practical for those who just need to log into their workstation, but again, a wearable bracelet equipped with accelerometers and gyroscopes could be used to monitor your gait (its speed, balance, weight) and login to your computer by matching the data against a pre-recorded sample.

Still other biometric ideas include full facial recognition – which Facebook claims to have perfected to a near-human level of accuracy – and recognizing your typing speed. It could one day be not what your password is, but simply how you type it.

Use a virtual ‘token’


In similar vein to Google’s USB concept, this password alternative employees to carry a piece of pre-recorded information with them. These, however, can be incorporated into your smartphone. Clef, a new app already used by tens of thousands of sites, logs users in by displaying a temporarily-generated, unique image on the phone screen. Simply hold the image up to your webcam to authenticate it. The image can’t be stolen, as each one is randomly generated and lasts for less than thirty seconds.

Author , ESET

  • Someone

    Nice, but as long as most authentication-code just plug into most of the applications and operating systems as a module and is not inherit in the design, this will not change anything. How many breaches were because of passwords cracked in the open, instead of bad patch-policy, bad security configurations and etc. Most of those password-hashes that were stolen never came from bruteforcing in the first place, but from an other way of retrieving (openly accessible databases with default passwords, for example. Or a bad configured http-server with read-rights on files that shouldn’t be readable by any user other that root or the system itself).

  • Xander Maly

    Good summary, but incomplete. What about Steve Gibson’s SQRL or has it been debunked?

  • Jonathan Sparks

    What about good ol’ social engineering or complicated passwords that cause users to write them down? It isn’t necessarily poor password policy as it is poor password education. A 13 character pass-phrase consisting of random words or a phrase along with a number and special character here and there is just as secure as jibberish, but is far easier for a user to remember (staying away from personal information, of course). ex. Jabbath3hut!! or *usetheF0rce* versus Z1h4#g0snat$D. As an IT admin, I use to make rounds afterhours and remove post-its from people’s desks that were clearly their passwords and then send them an email that it needed to be reset for security purposes and tell them just that.

  • biti_disi

    One relatively new option is missing. Login by Trezor, a small USB device originally made for bitcoin. It signs with private keys in a safe environment, has a display for visual response and buttons for physical confirmation. Ex Google security chief called it the most sophisticated authentication in the world, way better than Google’s Security key.

Follow us

Copyright © 2017 ESET, All Rights Reserved.