Firms enlist smartphones to provide cyber security

Companies are enlisting smartphones as another layer of protection, say security professionals, because they are cheaper and their widespread popularity makes it easier for firms to reach a broad swath of customers.

“People can forget their keys and lunch at home, but no one forgets their phone,’’ said Ward Howell, director of security solutions consulting at Q2ebanking, an Austin, Texas, firm that provides banking services to regional banks and credit unions.

Software can turn smartphones into security tokens that spit out new passwords frequently like RSA’s popular SecurID key fobs.

Companies are taking a closer look at how they guard access to data after hackers broke into RSA, Hopkinton-based EMC Corp.’s security division, and used the stolen information to hack into computer networks at defense contractor Lockheed Martin Corp.

Adding to the urgency are new federal guidelines that require financial institutions to tighten security around online banking.

Lenders, such as Bank of America Corp. and JPMorgan Chase & Co., already send texts to consumers on their mobile phones.

These messages may notify credit card users of account activity or flag big ticket purchases; consumers may also use their smartphones to pay bills.

But a smartphone can do more, say security professionals. Using one like a security key fob is as simple as downloading an app, said Brendon Wilson, a senior product marketing manager of user authentication at Symantec Corp., a computer security software maker in Mountain View, Calif. “And for the company, there’s no expenditure on a separate token.’’

This allows companies to do away with traditional physical tokens, such as SecurID key fobs. After the March data breach, RSA offered to replace a portion of the SecurID tokens or provide security monitoring. The company said some customers are showing an appetite to replace their security tokens with virtual ones on smartphones.

The cyberattack on RSA had a silver lining. It fueled “new conversations with customers, and it’s not a conversation on just security tokens - it’s a conversation on security,’’ said Sean Brady, director of RSA’s identity management and protection group. “We are at a market inflection point for companies as they review user identification strategies.’’

At RSA, whose SecurID tokens dominate the market, the growth of smartphones as a token device is outpacing traditional tokens, Brady said. The company has placed about 40 million physical tokens with customers. RSA’s SecurID hardware and software tokens are used by 30,000 banks, corporations, and government agencies to prevent unauthorized access to their data networks.

RSA rival SafeNet Inc., a Maryland company that develops security tokens, also reports that smartphones are among its fastest growing categories, said Tsion Gonen, corporate vice president of products at the company.

Companies are also using smartphones to safeguard customers. For instance, a Bank of America customer wiring a large sum of money from an online banking account may get a one-time code on his smartphone to complete the funds transfer.

“Mobile phones are a key part of our strategy,’’ said Keith Gordon, who develops and manages authentication and security for Bank of America’s 29 million online banking customers and 6.5 million mobile banking customers. Smartphones, he added, are more functional.

They will likely play a key role as lenders comply with federal guidelines laid down in June. These rules, for instance, require banks to move beyond customers needing just a username and password to access accounts online.

But are smartphones a better cyber crime-fighting tool? As a security token, smartphones are similar to a key fob. Both require users to have a username, password, and the actual device, but smartphone users are vulnerable to a dying battery or an out-of-range phone.

While no authentication device is foolproof, some companies prefer smart cards, which look like a credit card but house a micro chip with information to identify users. Smart cards can also authorize transactions and allow entry into buildings. The card itself is considered more tamper-proof than a key fob or smartphone token, said Mark Diodati, a vice president at research and advisory firm Gartner Inc.

These cards, more popular in Europe, are mainly used in the United States by federal agencies, defense companies, banking institutions, and oil and gas companies. Giant defense contractor Northrop Grumman Corp. started replacing its SecurID tokens with smart cards even before the RSA breach.

Still, their use is limited. Unlike with security tokens, which can access a company’s network from different devices, such as a personal laptop, smart card users can only access their network from a machine that has software and, in many instances, hardware to read the card, which in most cases will be a company-issued computer.

For companies, costs also matter. For every $1 a firm spends on physical security tokens, it spends only 65 cents if it uses smartphones as the tokens, estimates SafeNet’s Gonen. The savings include cutting the cost of the physical token. The cost of smart cards falls between security key fobs and smartphones.