Possession factor is an authentication factor based on something the user possesses, such as a security token, mobile phone, or smart card.