Definition

possession factor

Rahul Awati

By

Rahul Awati

What is a possession factor?

The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.

Mandating the use of a possession factor is a common approach in security systems based on two-factor authentication (2FA) and multifactor authentication (MFA). Typically, 2FA and MFA systems also require users to provide a knowledge factor such as a password, PIN, or answer to a secret question and/or an inherence factor such as a fingerprint, faceprint or voice sample.

What is 2FA and MFA?

2FA is an authentication approach in security in which authorized users are required to provide two factors to access a system or account. Both factors are required for the user to confirm their identity and prove to the system that they are allowed access and use. The required authentication factors might be some combination of knowledge, inherence, and possession factors.

2FA provides greater security than single-factor authentication (SFA) systems that are username- or password-based. This is because it's harder for a threat actor to get both factors in order to compromise or damage an account or the data residing within it. For this reason, many organizations prefer 2FA over SFA to protect their business-critical assets and sensitive data.

MFA is like 2FA and has similar security goals. The only difference is that MFA requires the use of two or more authentication factors whereas 2FA requires the use of only two factors.

MFA is becoming increasingly common for mobile authentication, two-factor authentication in particular. Google Authenticator, for example, requires the user to log in to websites as usual and then input a time-based one-time password that is sent to the registered device.

What are the authentication factors in 2FA and MFA?

There are three main categories of user authentication factors used in 2FA and MFA systems:

Possession factor: something the user has, such as a mobile phone or USB dongle.
Knowledge factor: something the user knows, such as a PIN or password.
Inherence factor: something the user is, typically a biological characteristic captured as biometric data, such as fingerprints or voiceprints.

Multifactor authentication, five factors to know — Adding more than one authentication factor typically improves security. Here are five authentication factors to know: time, location, something you have, something you are, and something you know.

2FA uses elements from two of the three categories; three-factor authentication (3FA) involves elements from each of the main categories. Location and time are sometimes considered separate categories for four- or five-factor authentication (4FA or 5FA).

What is the possession factor in MFA and 2FA?

Devices like security tokens and mobile phones represent the possession factor in 2FA and MFA. A possession factor simply refers to a physical item possessed by a user that allows him or her to access an online tool or account. Access to the account is restricted to specific users and having the possession factor ensures that those users are part of the allowed list.

Here are some examples of the most common possession factors used today for authentication:

Mobile phones that receive a PIN.
Hardware tokens like electronic keycards, key fobs and USB dongles that generate a one-time password (OTP).
Smart card with an embedded integrated circuit chip; typically used to secure sensitive transactions and systems, such as financial, healthcare and educational systems.
FIDO2 (Fast Identity Online) security key that facilitates USB, Bluetooth or NFC-based access without the need for a password (that can be guessed or stolen).

Two-factor authentication includes two of three potential authentication factors. — Two-factor authentication is a form of multifactor authentication. It involves picking two of three factors, such as something you know, something you have, and something you are.

Biometric-based wearable devices such as rings that are mapped to a single user and can be used only by that user.
Mobile SIM card that provides strong, cryptography-based security each time the user uses the mobile device to access an online account.

Benefits of using a possession factor

Traditional authentication systems are of the SFA type. SFA systems, such as the familiar user name and password combination, are increasingly considered inadequate in the context of cybersecurity and information security.

One reason is that usernames are easily guessed; another is password cracking. Adding the possession element to logins for two-factor authentication significantly increases the security of the system or account because the users must know their passwords and possess the registered devices associated with their accounts.

When a user tries to access an account using the possession factor, the system checks the validity of that piece of hardware before allowing access. Security keys based on the FIDO2 standard are among the strongest and most reliable possession factors available today. Many keys are based on biometric authentication, meaning they combine the possession factor with the inherence factor to further strengthen account security and prevent unauthorized, i.e., malicious users from accessing the account.

Threat actors trying to compromise the account would have to get past two authentication factors, which is difficult to do. For example, they would not only have to steal the user's username or password, but also gain physical access to the key to fool the system and gain access.

biometric factors diagram — Biometric factors range from biometric scans to voice recognition to iris scans.

Authentication possession factor risks

Adding a possession factor strengthens the security of a system. That said, the possession factor doesn't ensure 100% security because it is based on physical possession, meaning the authorized user must physically possess the smartcard, security key or hardware token to access an account. Keeping the device in a safe place can prevent hackers from using it for malicious purposes. However, if the authorized user is careless, a threat actor might be able to steal the device and use it to access the account the device is meant to protect.

The threat actor might also use social engineering techniques to convince the authorized user to give them access to the device. Increasingly, threat actors eavesdrop on the communications between the authorized user and the security system -- an approach known as man-in-the-middle attacks -- in order to steal the authorized user's identity and access their account.

Despite these risks, adding a possession factor to an authentication system provides much stronger security than knowledge factors like usernames and passwords. Possession factors and MFA are also key components of zero-trust architecture, a security model in which no user or device is implicitly trusted, which ensures more robust security than traditional perimeter security.

Discover five strategies to mitigate vulnerabilities in MFA. Further explore five common authentication factors. Check out four essential identity and access management best practices and see how to fix the top five cybersecurity vulnerabilities.

This was last updated in November 2023

Continue Reading About possession factor

Get greater protection with IoT security advances in authentication

Use these user authentication types to secure networks

Identity management vs. authentication: Know the difference

Mobile device security best practices for business

Top benefits of zero-trust security for businesses

Dig Deeper on Identity and access management

Search Networking

BGP routing: A configuration and troubleshooting tutorial
BGP is the internet's core routing protocol, enabling communication between ISPs and large networks. This guide covers its ...
Cisco Live 2025 conference coverage and analysis
Cisco Live 2025 will largely focus on the need to modernize infrastructure with AI capabilities. Use this guide to follow along ...
Customer experience and hybrid work highlights Webex news at Cisco Live
Cisco unveils a strong set of AI-powered features for Webex Contact Center and Webex Meetings.

Search CIO

Proposed U.S. budget cuts raise fears about tech innovation
President Donald Trump's proposed FY 2026 budget slashes funding for federal agencies, including NSF and NIST, which support tech...
RIT showcase offers glimpse of early tech innovation cycle
Connected vehicle security, AI and 3D printing were among the technologies featured at Imagine RIT, an annual exhibition focusing...
Contempt order worsens Apple's antitrust woes
A federal judge found Apple to be in contempt of an injunction ordering the company to make access to alternative payment options...

Search Enterprise Desktop

How to create a custom Windows 11 image with Hyper-V
When administrators can deploy Windows systems in many ways, creating a custom VM with Hyper-V enables them to efficiently deploy...
End users can code with AI, but IT must be wary
The scale and speed of generative AI coding -- known as vibe coding -- are powerful, but users might be misapplying this ...
10 troubleshooting steps for when Windows Update is frozen
When a Windows desktop is frozen and can't update, there could be many causes. The troubleshooting process can be complicated, ...

Search Cloud Computing

Get started with Amazon Q Developer
Amazon Q Developer is a versatile tool for software development, offering code generation, optimization recommendations and ...
HPE adds Morpheus Data to KVM hypervisor for enterprises
A KVM hypervisor by Hewlett-Packard Enterprise evolves with technology and capabilities from Morpheus Data, an HPE acquisition, ...
Gain insights with Enhanced Monitoring in Amazon RDS
RDS Enhanced Monitoring provides teams with additional data visibility to improve database scalability, performance, availability...

ComputerWeekly.com

Post Office Horizon scandal explained: Everything you need to know
Computer Weekly has investigated the Post Office Horizon scandal since 2008 and is, in fact, part of the story. This guide ...
Dutch universities call for reduced dependence on Big Tech
Dutch universities are calling for greater digital autonomy as more research and educational data is stored in American clouds, ...
Government sets up guidance for 10-year R&D commitment
Research and development is one of the main areas of focus for Labour’s Plan for Change as it readies its Industrial Strategy

Close