diff --git a/README.md b/README.md
index 9cb1e48663ac6da0f369a76bfe02305f1a70e5ee..375d6f41c8dc359520f2fd81cbd360626165570f 100644
--- a/README.md
+++ b/README.md
@@ -55,8 +55,7 @@ Check [#464](https://github.com/adrienverge/openfortivpn/issues/464) for a discu
 of known issues in this area.
 
 To make use of your smartcard put at least `pkcs11:` to the user-cert config or commandline
-option. It takes the full or a partial PKCS#11 token URI. Also username and password currently
-may not be empty, but don't get used. So you should fill in dummy values.
+option. It takes the full or a partial PKCS#11 token URI.
 
 ```
 user-cert = pkcs11:
diff --git a/doc/openfortivpn.1.in b/doc/openfortivpn.1.in
index bd73a8b53e7ef683b0f9735bafacd20181a6e126..a4ed34bf25011ac2f134fb313d99c1e025ba07a2 100644
--- a/doc/openfortivpn.1.in
+++ b/doc/openfortivpn.1.in
@@ -1,4 +1,4 @@
-.TH OPENFORTIVPN 1 "October 24, 2019" ""
+.TH OPENFORTIVPN 1 "November 27, 2019" ""
 
 .SH NAME
 openfortivpn \- Client for PPP+SSL VPN tunnel services
@@ -110,8 +110,8 @@ Use specified PEM-encoded certificate if the server requires authentication
 with a certificate.
 .TP
 \fB\-\-user-cert=\fIpkcs11:\fR
-Use at least the string pkcs11: for using a smartcard. Takes also
-full or partially PKCS11-URI (p11tool --list-token-urls)
+Use at least the string pkcs11: for using a smartcard. It takes the full
+or a partial PKCS11-URI (p11tool --list-token-urls)
 
   --user-cert = pkcs11:
 
@@ -119,7 +119,7 @@ full or partially PKCS11-URI (p11tool --list-token-urls)
 
   --user-cert = pkcs11:model=PKCS%2315%20emulated;manufacturer=piv_II;serial=012345678;token=someuser
 
-\fBRequires OpenSSL PKCS engine!
+\fBThis feature requires OpenSSL PKCS engine!
 .TP
 \fB\-\-user\-key=\fI<file>\fR
 Use specified PEM-encoded key if the server requires authentication with
diff --git a/src/http.c b/src/http.c
index 8fe7a358a3cb1ee3584c5ffab92e95dc9f96e0a3..c29d0d87bce202a210da46ffc1ff3b7d4a744472 100644
--- a/src/http.c
+++ b/src/http.c
@@ -566,7 +566,6 @@ int auth_log_in(struct tunnel *tunnel)
 	uint32_t response_size;
 
 	url_encode(username, tunnel->config->username);
-	url_encode(password, tunnel->config->password);
 	url_encode(realm, tunnel->config->realm);
 
 	tunnel->cookie[0] = '\0';
@@ -576,10 +575,16 @@ int auth_log_in(struct tunnel *tunnel)
 		ret = http_request(tunnel, "GET", "/remote/login",
 		                   data, &res, &response_size);
 	} else {
-		snprintf(data, sizeof(data), "username=%s&credential=%s&realm=%s&ajax=1"
-		         "&redir=%%2Fremote%%2Findex&just_logged_in=1",
-		         username, password, realm);
-
+		if (tunnel->config->password == '\0') {
+			snprintf(data, sizeof(data), "username=%s&realm=%s&ajax=1"
+			         "&redir=%%2Fremote%%2Findex&just_logged_in=1",
+			         username, realm);
+		} else {
+			url_encode(password, tunnel->config->password);
+			snprintf(data, sizeof(data), "username=%s&credential=%s&realm=%s&ajax=1"
+			         "&redir=%%2Fremote%%2Findex&just_logged_in=1",
+			         username, password, realm);
+		}
 		ret = http_request(tunnel, "POST", "/remote/logincheck",
 		                   data, &res, &response_size);
 	}
diff --git a/src/main.c b/src/main.c
index b283c8f3eec4b0cbc0b78e937f3e6731877f670b..a99e65ce88fdfbcd24b83b3595da902aee5774c2 100644
--- a/src/main.c
+++ b/src/main.c
@@ -512,30 +512,25 @@ int main(int argc, char **argv)
 		goto user_error;
 	}
 	// Check username
-	if (cfg.username[0] == '\0') {
+	if (cfg.username[0] == '\0' && cfg.use_engine != 1) {
 		log_error("Specify an username.\n");
 		goto user_error;
 	}
-	// If no password given, interactively ask user
-	if (cfg.password == NULL || cfg.password[0] == '\0') {
-		free(cfg.password);
+	// If username but no password given, interactively ask user
+	if (cfg.password == NULL && cfg.username[0] != '\0' ) {
 		char *tmp_password = malloc(PWD_BUFSIZ); // allocate large buffer
 		read_password(cfg.pinentry, "password",
 		              "VPN account password: ", tmp_password, PWD_BUFSIZ);
 		cfg.password = strdup(tmp_password); // copy string of correct size
 		free(tmp_password);
 	}
-	// Check password
-	if (cfg.password[0] == '\0') {
-		log_error("Specify a password.\n");
-		goto user_error;
-	}
-
 	log_debug("Config host = \"%s\"\n", cfg.gateway_host);
 	log_debug("Config realm = \"%s\"\n", cfg.realm);
 	log_debug("Config port = \"%d\"\n", cfg.gateway_port);
-	log_debug("Config username = \"%s\"\n", cfg.username);
-	log_debug_all("Config password = \"%s\"\n", cfg.password);
+	if (cfg.username[0] != '\0')
+		log_debug("Config username = \"%s\"\n", cfg.username);
+	if (cfg.password != NULL)
+		log_debug_all("Config password = \"%s\"\n", cfg.password);
 	if (cfg.otp[0] != '\0')
 		log_debug("One-time password = \"%s\"\n", cfg.otp);