The possession factor, in a security context, is a category of user authentication credentials based on items that the user has with them, typically a hardware device such as a security token or a mobile phone used in conjunction with a software token.
There are three main categories of user authentication factors. In addition to the possession factor (described as “something the user has”), there is the knowledge factor (something the user knows) and the inherence factor (something the user is, typically a biological characteristic captured as biometric data). Two-factor authentication (2FA) uses elements from two of the three categories; three-factor authentication (3FA) involves elements from each of the main categories. Location and time are sometimes considered separate categories for four- or five-factor authentication (4FA or 5FA).
Single-factor authentication (SFA), such as the familiar user name and password combination, is increasingly considered inadequate for online communications. User names are easily guessed and most passwords easily cracked. Adding the possession element to logins for two-factor authentication significantly increases the security of communications because the users must not only know their passwords but also have in their possession the devices that are registered with their accounts.
Multifactor authentication (MFA) is becoming increasingly common for mobile authentication, two-factor authentication in particular. Google Authenticator, for example, requires the user to log in to websites as usual and then input a time-based one-time password (TOPT) that is sent to the registered device.
Ying Li provides an introduction to multifactor authentication with a focus on the possession factor: