Possession Factor (Something You Have)
What is Possession Factor (Something You Have)?
Possession Factor (Something You Have)An authentication factor based on a physical or cryptographic item the user holds, such as a hardware token, smart card, authenticator app or registered phone.
The possession factor proves identity by something the user has. It includes hardware security keys (FIDO2/WebAuthn), smart cards (PIV, CAC), TOTP/HOTP authenticator apps, SMS or push-approved phones, hardware OTP tokens, and cryptographic keys bound to a TPM or Secure Enclave. Possession factors raise the bar against remote attackers because compromising a credential alone is not enough. Quality varies: SMS and email OTP are vulnerable to SIM swap and phishing, while phishing-resistant FIDO2 keys cryptographically tie the response to the legitimate site. NIST SP 800-63B classifies possession authenticators by assurance level.
● Examples
- 01
Approving a login via a push notification on a registered iPhone with Microsoft Authenticator.
- 02
Touching a YubiKey to satisfy a FIDO2 challenge from a corporate identity provider.
● Frequently asked questions
What is Possession Factor (Something You Have)?
An authentication factor based on a physical or cryptographic item the user holds, such as a hardware token, smart card, authenticator app or registered phone. It belongs to the Identity & Access category of cybersecurity.
What does Possession Factor (Something You Have) mean?
An authentication factor based on a physical or cryptographic item the user holds, such as a hardware token, smart card, authenticator app or registered phone.
How does Possession Factor (Something You Have) work?
The possession factor proves identity by something the user has. It includes hardware security keys (FIDO2/WebAuthn), smart cards (PIV, CAC), TOTP/HOTP authenticator apps, SMS or push-approved phones, hardware OTP tokens, and cryptographic keys bound to a TPM or Secure Enclave. Possession factors raise the bar against remote attackers because compromising a credential alone is not enough. Quality varies: SMS and email OTP are vulnerable to SIM swap and phishing, while phishing-resistant FIDO2 keys cryptographically tie the response to the legitimate site. NIST SP 800-63B classifies possession authenticators by assurance level.
How do you defend against Possession Factor (Something You Have)?
Defences for Possession Factor (Something You Have) typically combine technical controls and operational practices, as detailed in the full definition above.
What are other names for Possession Factor (Something You Have)?
Common alternative names include: Something you have, Ownership factor.
● Related terms
- identity-access№ 592
Knowledge Factor (Something You Know)
An authentication factor based on information the user knows, such as a password, PIN, passphrase or answer to a security question.
- identity-access№ 533
Inherence Factor (Something You Are)
An authentication factor based on a biometric characteristic of the user, such as a fingerprint, face, iris, voice or typing rhythm.
- identity-access№ 623
Location Factor (Somewhere You Are)
A contextual authentication factor that uses the user's geographical or network location, such as GPS coordinates, IP geolocation or office Wi-Fi, to evaluate a sign-in.
- identity-access№ 1154
Time Factor (Authentication)
A contextual authentication factor that restricts or evaluates access based on the time of day, day of week or duration of a session, often combined with risk-based policies.
- cryptography№ 413
FIDO Security Key
A hardware authenticator that uses the FIDO U2F or FIDO2/WebAuthn standards to perform phishing-resistant, public-key-based authentication to web and enterprise services.
- identity-access№ 708
Multi-Factor Authentication (MFA)
An authentication method that requires two or more independent factors — typically from different categories — before granting access.