Another vendor has joined the crowd of voices urging infosec pros to enable two-factor or multi-factor authentication where they can to better secure IT systems.

Effective prevention of credential theft should focus on four strategies: Having more than one factor of authentication, one-time passwords, password managers and employee training, a discussion paper released Tuesday by the Unit 42 intelligence division of Palo Alto Networks.

But, it adds, “the shift toward both two-factor authentication (2FA)/multi-factor authentication (MFA) and one-time passwords (OTP) is potentially game-changing” by lowering the risk of stolen credentials.

“The power of 2FA/MFA’s effectiveness lies in the fact that it accepts and mitigates the current reality: that passwords are weak or stolen. 2FA/MFA introduce additional authentication requirements so that an attacker who has only one of the authentication factors has no more access than the attacker with none of the authentication factors.

A one-time password is a password that is valid for only one login or transaction, and most of them are valid for a limited amount of time (perhaps 24 hours). Many enterprise implementations also require access to something a user has (such as a small digital token with an OTP calculator built in, or specific mobile device, or an OTP generator) as well as something a person knows (such as a PIN). “This frees people from the need to create, memorize and manage multiple complicated passwords, and removes one of the most abused vectors in hacking,” the paper says.

“This approach has the possibility to end the reuse of stolen credentials.”

Legitimate credentials are a “ticket through the front door of every account and organization on the planet,” the paper points out, so they are a prime target in almost every cyber attack. With the right credentials an attacker can go almost anywhere on a corporate network.

Stealing credentials doesn’t necessarily require any level of technical ability, the paper adds, noting these days attackers can even rent the necessary tools, like keyloggers and Trojans in underground forums if they can’t purchase already stolen credentials.

Generally attackers use any of five techniques to get credentials: Social engineering (for example, through fake Facebook or LinkedIn persona), credential phishing and spam,  reusing stolen passwords or shared credentials, brute force attacks and tricking call centres into resetting passwords by reusing answers to common security questions (like birth dates that can be found online).

The chief reason credentials have any monetary value is that most people rarely change them and often reuse passwords across multiple accounts, the paper argues. As a result these credentials can remain valid for months or years.

The paper says password managers are an important ingredient in a credentials strategy, allowing employees to have unique, strong passwords for every site. All the user has to do is remember one password for the manager. However, it notes the managers have a weakness: If that password is cracked security is lost.

As for employee security education — particularly to be on the look-out for phishing attacks and requests from sites to re-enter passwords as suspicious —  the paper says “the user represents the final, most effective and potentially advanced layer of security there is.”

“We don’t have to treat credential theft as the unknown, inevitable X-factor in successful attacks,” the paper concludes. “Just as we can fight against threats like attacks against vulnerabilities, spam and phishing, we can fight against and prevent credential theft.”

The report can be downloaded here.