Quick Definition (30–60 words)
Something You Have is an authentication/authorization factor based on possession of a physical or digital object, such as a security key, smartcard, or token. Analogy: a physical key opens a lock; possession proves identity. Formal: a possession-based credential used in multi-factor authentication and authorization workflows.
What is Something You Have?
Something You Have describes a class of security factors and artifacts where access is granted because a user or system physically or logically possesses a specific object or secret. It is NOT knowledge (passwords) or inherence (biometrics), though it is often combined with them.
Key properties and constraints:
- Possession-based: must be in control of entity.
- Revocable: can be revoked or invalidated centrally.
- Transferable risk: loss or theft equals compromise risk.
- Tied to lifecycle management: issuance, rotation, revocation.
- Usability tradeoffs: physical keys add friction; digital tokens require secure storage.
Where it fits in modern cloud/SRE workflows:
- Access to consoles, administrative operations, CI/CD secrets, API clients.
- Service-to-service authentication in zero trust architectures.
- Hardware-backed keys for developer laptops, build systems, and privileged sessions.
- Integration with cloud identity providers and short-lived credentials.
Diagram description (text-only):
- User or service holds a key object; they present it to an authentication gateway; the gateway validates possession and returns a short-lived token; token is used to access cloud resources or sign requests; logging and telemetry record the transaction for observability.
Something You Have in one sentence
A possession-based credential—physical or digital—used to prove identity or authorize actions, often backed by hardware or secure storage and integrated into multi-factor and zero trust flows.
Something You Have vs related terms (TABLE REQUIRED)
| ID | Term | How it differs from Something You Have | Common confusion |
|---|---|---|---|
| T1 | Something You Know | Knowledge-based, like passwords or PINs | People mix passwords with tokens |
| T2 | Something You Are | Biometric identity, like fingerprints | Biometrics are inherence, not possession |
| T3 | MFA | Multi-factor is a combination | MFA can include possession as one factor |
| T4 | PKI certificate | Certificate is a credential, may be possession-backed | Certificates can be stored or stolen |
| T5 | OTP | One-time password is generated or delivered | OTP may be possession or knowledge-based |
| T6 | Hardware Security Module | HSM is a secure signing device, a type of possession | HSMs are often shared or cloud-managed |
| T7 | Software token | App-stored secret vs hardware token | Software tokens can be cloned |
| T8 | FIDO2/WebAuthn | Protocol using public-key credentials stored on devices | FIDO2 mandates attestation and non-extractable keys |
| T9 | Smartcard | Physical card with secure element | Smartcards require reader hardware |
| T10 | API key | Static secret used by services | API keys are possession-like but often long-lived |
Row Details
- T3: MFA explanation — MFA requires two or more factor types; Something You Have is one factor that improves security when combined with others.
- T4: Certificates — Certificates bind keys to identity; private key possession makes it a Something You Have.
- T6: HSM — HSMs protect keys against extraction and provide signing; managed HSMs are used in cloud.
- T8: FIDO2 — Uses asymmetric keys where private keys are non-exportable and device-bound.
- T10: API key — API keys act as possession factors but are often mismanaged and not rotated.
Why does Something You Have matter?
Business impact:
- Revenue protection: prevents account takeovers that lead to fraud or revenue loss.
- Trust and compliance: helps meet regulations requiring multi-factor or hardware-backed keys.
- Risk reduction: reduces phishing and credential-stuffing effectiveness.
Engineering impact:
- Incident reduction: fewer authentication-driven incidents when properly deployed.
- Velocity tradeoff: initial rollout slows onboarding; long-term reduces security incidents.
- Automation: allows services to authenticate without human passwords using short-lived tokens.
SRE framing:
- SLIs/SLOs: availability of authentication endpoints and key provisioning services.
- Error budgets: authentication failures can consume error budgets and trigger rollbacks.
- Toil: manual key rotation and recovery increases toil; automation reduces it.
- On-call: incidents include lost keys, revoked certificates, or signing service degradation.
What breaks in production — realistic examples:
- Lost hardware keys for a team during an emergency deploy -> blocked operations.
- Key provisioning service outage prevents CI pipelines from obtaining short-lived creds.
- Compromised build server possesses signing keys and pushes malicious artifacts.
- Cloud provider rotates HSM and breaks certificate chains for service-to-service auth.
- Misconfigured token TTL leads to wide-scale session expiration during peak load.
Where is Something You Have used? (TABLE REQUIRED)
| ID | Layer/Area | How Something You Have appears | Typical telemetry | Common tools |
|---|---|---|---|---|
| L1 | Edge / Network | TLS client certs or hardware tokens for admin access | TLS handshakes, cert status | Load balancers, reverse proxies |
| L2 | Service / API | Client certificates or signed JWTs for service auth | Auth logs, token issuance | API gateways, service meshes |
| L3 | Application | User-held security keys or platform tokens | Login events, MFA logs | Identity providers, SDKs |
| L4 | Data / Database | Encrypted keys and key access logs | KMS access logs, DB auth logs | KMS, database IAM |
| L5 | IaaS / PaaS | Cloud instance identity or attached keys | Instance metadata access logs | Cloud IAM, instance profiles |
| L6 | Kubernetes | K8s service account keys or workload identity | Pod identity logs, kube-audit | K8s IRSA, SPIFFE |
| L7 | Serverless | Short-lived tokens or signed requests | Invocation auth traces | Serverless platforms, IAM |
| L8 | CI/CD | Build signing keys and deploy tokens | Build logs, agent auth | CI agents, artifact signers |
| L9 | Incident Response | Hardware tokens for privileged ops | Access approvals, audit trails | PAM systems, ORCHESTRATION |
Row Details
- L2: See that service auth often uses mTLS or JWT signed by possession-held private keys.
- L6: Workload identity in K8s often maps cloud IAM roles to pods using token exchange.
When should you use Something You Have?
When necessary:
- High-privilege access (admin consoles, production deploys).
- Compliance/regulatory requirements.
- Against phishing-prone user bases.
When optional:
- Low-privilege or short-lived developer tasks.
- Internal tools with strict network controls.
When NOT to use / overuse it:
- For every microinteraction if it causes significant friction.
- As the sole control without rotation or revocation capabilities.
Decision checklist:
- If human admin + internet-facing access -> require hardware-backed possession.
- If machine-to-machine short-lived calls -> use ephemeral tokens via KMS or workload identity.
- If offline recovery is required -> ensure backup methods and secure recovery workflows.
Maturity ladder:
- Beginner: Use software tokens and enforce MFA for humans; short-lived API tokens for services.
- Intermediate: Introduce hardware keys for privileged users; centralized key management for services.
- Advanced: Hardware-backed device attestation, automated rotation, workload identity federation, and HSM-backed signing in CI.
How does Something You Have work?
Components and workflow:
- Issuance: generate credential (key, cert, token) and bind to identity.
- Storage: secure device, HSM, secure enclave, or protected software store.
- Proof: present credential to verifier (signing, challenge-response).
- Validation: verifier checks signature, revocation, and attestation.
- Authorization: upon validation, issuer grants short-lived access tokens or roles.
- Revocation: central service marks credential invalid; verifier enforces.
Data flow and lifecycle:
- Provisioning: generate and store a key in secure store and record metadata.
- Activation: user or service binds key to account.
- Use: key signs or authenticates; logs emitted.
- Rotation: keys periodically replaced or re-attested.
- Revocation/retirement: keys disabled and removed.
Edge cases and failure modes:
- Lost/compromised keys: need recovery and revocation process.
- Clock skew affects time-based tokens.
- Key extraction vulnerability in software tokens.
- Network partitions prevent validation against revocation lists.
Typical architecture patterns for Something You Have
- Hardware token for human MFA — use for privileged admin flows.
- Device-based attestation with platform keys — use for managed devices and zero trust.
- HSM-backed signing for CI/CD pipelines — use for artifact signing and certificate issuance.
- Workload identity federation — use for pod-to-cloud IAM with short-lived tokens.
- PKI with private keys on smartcards — use for high-assurance client auth.
- Software-based token in secret store with rotation — use for non-critical service auth.
Failure modes & mitigation (TABLE REQUIRED)
| ID | Failure mode | Symptom | Likely cause | Mitigation | Observability signal |
|---|---|---|---|---|---|
| F1 | Lost key | User cannot authenticate | Physical loss or theft | Revoke and re-issue backup key | Auth failure spike |
| F2 | Key compromise | Unauthorized access | Stolen or copied key | Rotate keys and audit sessions | Unexpected auth success |
| F3 | Provisioning outage | New devices fail setup | KMS or CA down | Failover CA or queue requests | Provisioning error rate |
| F4 | Clock skew | TOTP fail | Device time incorrect | NTP sync and tolerance | TOTP failure metric |
| F5 | Revocation lag | Revoked keys still work | Caching of validation lists | Shorter cache TTLs | Revocation mismatch logs |
| F6 | Extraction from software | Keys exfiltrated from agent | Vulnerable storage | Use hardware-backed stores | Unexpected key usage |
| F7 | HSM quota | Signing delayed | HSM throughput limits | Increase capacity or queue signing | HSM latency metrics |
Row Details
- F2: Rotate keys quickly, search logs for suspicious activity, and revoke affected tokens.
- F5: Implement OCSP/CRL best practices and ensure caches refresh on revocation events.
Key Concepts, Keywords & Terminology for Something You Have
- Access token — short-lived credential used after successful authentication — important for least privilege — pitfall: long TTLs.
- Attestation — proof a device or key is genuine — matters for device trust — pitfall: weak attestation policies.
- Authentication — verifying identity — foundational for security — pitfall: reliance on single factor.
- Authorization — granting rights after auth — separates identity from permissions — pitfall: over-permissive roles.
- Backup key — fallback possession for recovery — critical for continuity — pitfall: insecure storage.
- BRUTE-FORCE — attack pattern against tokens — matters for defense — pitfall: lack of rate limits.
- Certificate Authority (CA) — issuer of certificates — core to PKI — pitfall: single CA compromise.
- Challenge-response — interactive proof of possession — protects against replay — pitfall: predictable challenges.
- Chip-backed key — hardware stored private key — increases security — pitfall: device loss.
- Clock skew — time mismatch affecting time-based tokens — matters for TOTP — pitfall: hard TTLs.
- Client certificate — TLS cert used by clients — enables mutual TLS — pitfall: expired certs.
- Cross-signing — CA signs another CA — relevant for trust chains — pitfall: mis-issued certs.
- Device fingerprinting — device attribute profile — helps detect anomalies — pitfall: false positives.
- Device identity — unique device identifier — used in zero trust — pitfall: spoofable IDs.
- Device recovery — process to regain access — operational necessity — pitfall: insecure recovery flow.
- Diffie-Hellman — key agreement protocol — used in secure channels — pitfall: weak parameters.
- Entropy source — randomness for key generation — crucial for crypto — pitfall: low entropy environments.
- Ephemeral credentials — short-lived tokens — reduces blast radius — pitfall: renew failures.
- Exportability — whether private key can be extracted — hardware keys are non-exportable — pitfall: exportable keys leaked.
- FIDO2 — modern web auth standard — provides phishing-resistant keys — pitfall: poor deployment.
- HSM — hardware security module — secures keys — pitfall: misconfiguration.
- Identity provider — issues identity assertions — central to SSO — pitfall: single point of failure.
- JSON Web Token — signed token format — common for services — pitfall: none validation of alg.
- Key rotation — replacing keys regularly — reduces long-term risk — pitfall: missing dependencies.
- Key management system — issues and stores keys — central to lifecycle — pitfall: access sprawl.
- Key wrapping — encrypting keys for storage — used for protection — pitfall: weak wrapping keys.
- KMS — cloud key management service — provides managed key lifecycle — pitfall: permissions misuse.
- MFA — multiple authentication factors — increases security — pitfall: poor UX causing bypass.
- OTP — one-time password — time or event based — pitfall: interception or SIM swap.
- Out-of-band — separate channel for verification — helps prevent phishing — pitfall: slower UX.
- PKI — public key infrastructure — underpins certificates — pitfall: expired roots.
- Private key — secret half of asymmetric pair — possession object — pitfall: leakage.
- Public key — verifiable half of pair — verifies signatures — pitfall: trust mis-assignments.
- Revocation — invalidating credential — necessary after compromise — pitfall: stale caches.
- Secure enclave — isolated hardware environment — protects keys — pitfall: supply chain risk.
- Service account — non-human identity — uses possession-based creds — pitfall: long-lived secrets.
- Signature — cryptographic proof of possession — used for auth and integrity — pitfall: weak algorithms.
- Smartcard — card with secure element — physical possession device — pitfall: card readers shortage.
- Software token — key stored in software — convenient but weaker — pitfall: cloning via malware.
- TPM — trusted platform module — device crypto root — important for device attestation — pitfall: disabled TPM.
- Zero trust — architecture assuming breach — Something You Have is a device factor — pitfall: only device checks without risk context.
(Note: terms overlap and are intentionally concise; each matters for implementing and operating possession-based security at scale.)
How to Measure Something You Have (Metrics, SLIs, SLOs) (TABLE REQUIRED)
| ID | Metric/SLI | What it tells you | How to measure | Starting target | Gotchas |
|---|---|---|---|---|---|
| M1 | Auth success rate | Fraction of valid auths | successful auths / attempts | 99.95% | Include maintenance windows |
| M2 | Provisioning latency | Time to issue key | time from request to issuance | <30s for automated | Human approvals add delay |
| M3 | Key rotation compliance | Percent rotated on schedule | rotated keys / scheduled | 100% for critical keys | Orphan keys reduce ratio |
| M4 | Revocation propagation | Time to stop using revoked key | time from revoke to fail | <60s for critical paths | CDN or cache delays |
| M5 | Unauthorized usage count | Detected suspicious auths | anomalous auth events | 0 | Requires anomaly detection |
| M6 | HSM latency | Signing time | median signing ms | <50ms | Burst queues affect tail |
| M7 | MFA enrollment rate | Users registered with possession factor | enrolled users / total | 95% for admins | Enrollment friction reduces rate |
| M8 | Lost key incidents | Incidents due to lost possession | count per period | 0 | Encourage reporting to reduce impact |
| M9 | Token TTL compliance | Fraction using recommended TTLs | compliant tokens / total | 100% for sensitive | Legacy apps may have long TTLs |
| M10 | Auth-related toil | Manual ops hours per month | hours logged | Reduce quarter over quarter | Hard to quantify consistently |
Row Details
- M1: Define valid vs invalid attempts and exclude health checks.
- M4: Measure across caches, gateways, and CDN edge to ensure full propagation.
Best tools to measure Something You Have
Pick 5–10 tools. For each tool use this exact structure (NOT a table):
Tool — Prometheus + Metrics pipeline
- What it measures for Something You Have: latency, request rates, auth success/failure counters.
- Best-fit environment: Kubernetes, microservices, on-prem.
- Setup outline:
- Instrument auth services with counters and histograms.
- Export HSM and KMS metrics.
- Use pushgateway for short-lived job metrics.
- Configure recording rules for SLI computation.
- Persist long-term metrics to remote storage.
- Strengths:
- High resolution metrics and alerting.
- Flexible query language for SLIs.
- Limitations:
- Cardinality issues with many keys.
- Requires long-term storage for historical analysis.
Tool — OpenTelemetry + Tracing
- What it measures for Something You Have: end-to-end auth flows and latencies.
- Best-fit environment: Distributed systems, microservices.
- Setup outline:
- Instrument auth gateways and token issuance paths.
- Capture spans for provisioning and validation.
- Tag spans with key IDs and revocation status.
- Correlate traces with logs and metrics.
- Strengths:
- Root-cause tracing across services.
- Context propagation for audit.
- Limitations:
- Sampling may miss rare failure modes.
- Storage and UX costs for high-volume traces.
Tool — Cloud Provider KMS / HSM metrics
- What it measures for Something You Have: usage, latency, errors for key operations.
- Best-fit environment: Cloud-managed key operations.
- Setup outline:
- Enable provider metrics and audit logs.
- Monitor quotas and error rates.
- Set alerts on latencies and throttling.
- Strengths:
- Direct visibility into KMS operations.
- Integrated IAM logs.
- Limitations:
- Vendor-specific metric semantics.
- Some internals are opaque.
Tool — SIEM / Audit log aggregator
- What it measures for Something You Have: access patterns, anomalous use, revocation events.
- Best-fit environment: Enterprise compliance and security.
- Setup outline:
- Collect auth service logs, KMS logs, and device attestation logs.
- Build detection rules for suspicious usage.
- Retain logs per compliance requirements.
- Strengths:
- Centralized investigation and forensics.
- Alerting for security incidents.
- Limitations:
- Alert fatigue without tuning.
- High ingestion costs.
Tool — UEM / Endpoint management
- What it measures for Something You Have: device health, attestation, key presence.
- Best-fit environment: Corporate devices and managed endpoints.
- Setup outline:
- Enroll devices and enforce attestation checks.
- Report key enrollment and revocation status.
- Integrate with identity provider for device posture enforcement.
- Strengths:
- Control over hardware-backed keys.
- Enables device-based policies.
- Limitations:
- Requires device management buy-in.
- Not all devices supported.
Recommended dashboards & alerts for Something You Have
Executive dashboard:
- Panels: Auth success rate, provisioning backlog, unauthorized usage count, number of enrolled devices, key rotation compliance.
- Why: High-level health for executives and risk owners.
On-call dashboard:
- Panels: Real-time auth failures, provisioning error traces, HSM latency and errors, revocation propagation status, incident queue.
- Why: Fast triage and impact assessment for responders.
Debug dashboard:
- Panels: Per-service auth latency histogram, recent revocations and their propagation, trace links, affected tokens list, user/device mapping.
- Why: Deep troubleshooting and RCA.
Alerting guidance:
- What should page vs ticket:
- Page: Production auth service down, HSM failure impacting signing, large spike in unauthorized usage.
- Ticket: Degraded provisioning latency under threshold, single-user key loss.
- Burn-rate guidance:
- If error budget burn exceeded threshold in short window, escalate and consider rollback of recent auth changes.
- Noise reduction tactics:
- Deduplicate alerts by grouping by incident ID or root cause.
- Suppress noisy alerts during planned maintenance.
- Use alert thresholds with sliding windows and anomaly detection.
Implementation Guide (Step-by-step)
1) Prerequisites – Inventory of privileged access points. – Identity provider and IAM model. – Key management solution and HSM or secure enclave availability. – Device management (UEM) strategy for hardware keys.
2) Instrumentation plan – Define SLIs and events to log (issuance, use, revoke). – Instrument auth flows with metrics and traces. – Ensure audit logs carry key identifiers.
3) Data collection – Centralize logs in SIEM or log store. – Export KMS/HSM metrics to metrics pipeline. – Aggregate device attestation data.
4) SLO design – Set auth availability and provisioning latency SLOs. – Create error budgets specifically for authentication outages.
5) Dashboards – Build executive, on-call, and debug dashboards as described. – Expose per-environment views and filtered access.
6) Alerts & routing – Define severity levels and paging rules. – Route auth incidents to both SRE and security teams for mixed-impact events.
7) Runbooks & automation – Create runbooks for lost key, compromised key, and provisioning outage. – Automate revocation scripts and key rotation where possible.
8) Validation (load/chaos/game days) – Load test provisioning and HSM capacity. – Run simulated lost-key drills and game days to validate recovery. – Use chaos engineering to disable KMS or CA and observe system behavior.
9) Continuous improvement – Review incidents and SLO breaches monthly. – Expand automation for recurring manual tasks.
Pre-production checklist:
- Test key issuance and validation end-to-end.
- Ensure revocation propagation works across caches.
- Verify monitoring and alerting on metrics.
- Confirm backup/recovery flows for lost keys.
Production readiness checklist:
- Confirm enrollment coverage for critical users.
- Ensure HSM/KMS capacity meets peak expected load.
- Validate automated rotation and revocation policies.
- Ensure runbooks are reviewed and accessible.
Incident checklist specific to Something You Have:
- Identify affected keys and scope.
- Revoke compromised credentials immediately.
- Rotate keys and notify stakeholders.
- Search audit logs for unauthorized activity.
- Restore access via recovery keys and document root cause.
Use Cases of Something You Have
1) Privileged admin console access – Context: Admins need secure access to production consoles. – Problem: Password-only access leads to takeovers. – Why it helps: Hardware keys prevent phishing and credential theft. – What to measure: MFA enrollment, auth success rate, lost key incidents. – Typical tools: Hardware tokens, identity provider, UEM.
2) CI/CD artifact signing – Context: Build artifacts must be verified before release. – Problem: Compromise of build system can introduce malicious artifacts. – Why it helps: HSM-backed signing ensures provenance. – What to measure: Signing latency, unauthorized signing attempts. – Typical tools: HSM, KMS, CI plugin.
3) Service-to-service auth in zero trust – Context: Microservices require secure auth without static secrets. – Problem: Long-lived secrets leak and are hard to rotate. – Why it helps: Workload identity and short-lived tokens bound to instance keys. – What to measure: Token TTL compliance, revocation propagation. – Typical tools: SPIFFE, KMS, service mesh.
4) Remote workforce device authentication – Context: Remote employees use laptops to access resources. – Problem: Device identity is weak; compromised endpoints access sensitive systems. – Why it helps: Device-backed keys enforce posture-based access. – What to measure: Device attestation failures, enrollment rate. – Typical tools: UEM, TPM, identity provider.
5) API consumer authentication – Context: Third-party apps call APIs. – Problem: Static API keys are leaked. – Why it helps: Client certificates or short-lived signed tokens reduce risk. – What to measure: Unauthorized usage, certificate expiry. – Typical tools: API gateway, CA.
6) Smartcard-based government systems – Context: High-assurance logins required. – Problem: Passwords insufficient for sensitive operations. – Why it helps: Smartcards with PIN + card give MFA and non-repudiation. – What to measure: Enrollment, failed auths, revocations. – Typical tools: Smartcards, middleware, PKI.
7) Recovery and emergency access – Context: Keyholders lost devices during incident response. – Problem: Locked-out operators delay recovery. – Why it helps: Backup possession keys and break-glass flows ensure continuity. – What to measure: Recovery time, misuse of emergency keys. – Typical tools: Vault, break-glass protocols.
8) IoT device identity – Context: Thousands of devices talk to cloud APIs. – Problem: Device spoofing and long-lived secrets risk. – Why it helps: Device certificates and hardware roots establish trust. – What to measure: Device attestation success, certificate rotation. – Typical tools: TPM, device registries, fleet management.
9) Database encryption key access – Context: Databases use envelope encryption. – Problem: Exposed DB keys compromise data. – Why it helps: KMS-held keys with access policies bound to instances. – What to measure: KMS access logs, key usage anomalies. – Typical tools: KMS, IAM, DB encryption plugins.
10) Remote signing for financial transactions – Context: High-value transactions require signing. – Problem: Weak signing processes invite fraud. – Why it helps: Hardware-backed signing ensures non-repudiation. – What to measure: Signing latency, unauthorized signing attempts. – Typical tools: HSM, legal signing middleware.
Scenario Examples (Realistic, End-to-End)
Scenario #1 — Kubernetes workload identity with short-lived tokens
Context: Microservices on Kubernetes need cloud API access without static credentials.
Goal: Enable secure, short-lived service auth using pod-bound credentials.
Why Something You Have matters here: Pod identity based on non-exportable keys reduces secret sprawl and limits blast radius.
Architecture / workflow: K8s pod requests a signed token from a workload identity agent which uses a local private key tied to node or pod; agent exchanges proof with cloud STS to receive short-lived credentials.
Step-by-step implementation:
- Deploy workload identity agent as sidecar or node daemon.
- Provision device-bound keys into node’s secure enclave or KMS.
- Configure admission controller to inject identity bindings.
- Implement token exchange with cloud STS using mutual TLS.
- Instrument traces and metrics for token issuance.
What to measure: Token issuance latency, token failure rate, unsuccessful auths to cloud APIs.
Tools to use and why: SPIFFE for identity standardization; KMS for key storage; metrics via Prometheus.
Common pitfalls: Sidecar injection failures, node-level key compromise, long token TTLs.
Validation: Game day: disable KMS and observe failover to queued issuance.
Outcome: Reduced static secret usage and improved auditing of service access.
Scenario #2 — Serverless function authenticating to third-party API
Context: Serverless functions call external APIs requiring client credentials.
Goal: Avoid embedding static API keys in functions and provide revocation control.
Why Something You Have matters here: Use platform-managed short-lived tokens derived from a signing key to prove possession without embedding secrets.
Architecture / workflow: Function requests platform token from platform KMS/HSM via secure metadata; platform signs request and returns ephemeral client credential to function.
Step-by-step implementation:
- Store signing keys in KMS with strict IAM roles.
- Implement token broker that issues short-lived tokens to functions.
- Set conservative TTLs and enforce refresh logic in function code.
- Log and monitor token issuance and usage.
What to measure: Token TTL compliance, token issuance errors, unauthorized call counts.
Tools to use and why: Cloud KMS for keys; serverless platform auth metadata; SIEM for logging.
Common pitfalls: Cold-starts interfering with token refresh, over-permissive roles.
Validation: Load test high-concurrency token issuance and monitor KMS quotas.
Outcome: Reduced risk of leaked API keys with centralized revocation.
Scenario #3 — Incident response: lost hardware keys during outage
Context: Several on-call engineers lose hardware tokens while responding to outage.
Goal: Restore access quickly while maintaining security posture.
Why Something You Have matters here: Lost possession affects human access; processes must allow secure recovery without bypassing controls.
Architecture / workflow: Emergency access flow uses break-glass keys protected in vault with multi-person approval and time-limited access.
Step-by-step implementation:
- Trigger incident playbook that authenticates via alternative factors.
- Use break-glass vault to issue temporary admin cred after approvals.
- Revoke lost keys and add replacements once validated.
- Post-incident, rotate affected keys and audit use of break-glass credentials.
What to measure: Time to recovery, break-glass usage count, post-incident revocations.
Tools to use and why: Vault for emergency creds; ticketing for approvals; logs for audit.
Common pitfalls: Overused break-glass causing compliance issues, incomplete revocation.
Validation: Simulated lost-key drill monthly.
Outcome: Faster recovery with controlled, auditable emergency access.
Scenario #4 — Cost vs performance: HSM-backed signing at scale
Context: High-frequency signing in CI pipelines causes HSM costs to spike.
Goal: Balance security of HSM with cost and throughput needs.
Why Something You Have matters here: HSM provides non-extractable keys; overuse increases cost.
Architecture / workflow: Hybrid signing: HSM used for root signing and ephemeral keys used for high-volume operations after HSM-approved delegation.
Step-by-step implementation:
- Use HSM to sign and issue short-lived intermediate keys.
- Cache intermediate keys with strict TTLs for pipeline use.
- Monitor HSM quotas and rotate intermediate keys regularly.
- Audit signing operations and restrict scope.
What to measure: HSM request rate and cost, signing latency, unauthorized signing attempts.
Tools to use and why: HSM/KMS metrics, CI plugin integration, Prometheus for cost telemetry.
Common pitfalls: Long-lived intermediate keys increasing risk, improper scope delegation.
Validation: Load test signing flow and measure HSM costs and latency under peak loads.
Outcome: Lower HSM usage costs while preserving root key security.
Common Mistakes, Anti-patterns, and Troubleshooting
- Symptom: High number of failed MFA attempts -> Root cause: Time sync issues or misconfigured token TTL -> Fix: NTP sync and increase tolerance.
- Symptom: Revoked keys still accepted -> Root cause: Cached validation lists -> Fix: Reduce cache TTLs and propagate revocation events.
- Symptom: CI builds can’t sign artifacts -> Root cause: HSM quota exhaustion -> Fix: Increase HSM capacity or queue requests.
- Symptom: Excessive alert noise -> Root cause: Unfiltered events from auth service -> Fix: Implement dedupe and severity filters.
- Symptom: Lost admin access after device loss -> Root cause: No emergency recovery process -> Fix: Implement break-glass vault and multi-person approvals.
- Symptom: Long provisioning delays -> Root cause: Manual approval bottlenecks -> Fix: Automate safe approval flows for low-risk cases.
- Symptom: Keys found in code repo -> Root cause: Poor secret handling -> Fix: Secret scanning, revoke keys, and rotate.
- Symptom: High tail latency on auth -> Root cause: Synchronous HSM calls in critical path -> Fix: Introduce async signing and caching of short-lived tokens.
- Symptom: Unexpected token acceptance -> Root cause: Weak validation of signing algorithm -> Fix: Enforce strict JWT alg checks and key ID mapping.
- Symptom: Device attestation failures -> Root cause: Outdated UEM agent -> Fix: Update agents and enforce compatibility.
- Symptom: Service account leak -> Root cause: Long-lived service keys -> Fix: Move to workload identity and ephemeral credentials.
- Symptom: Poor adoption of hardware keys -> Root cause: UX friction and lack of training -> Fix: Provide enrollment automation and training.
- Symptom: Incomplete audit trails -> Root cause: Missing metadata in logs -> Fix: Add key IDs and context to logs.
- Symptom: Token replay attacks -> Root cause: Lack of nonce or replay protection -> Fix: Implement nonces and short TTLs.
- Symptom: High manual toil for rotation -> Root cause: No automation -> Fix: Implement key lifecycle automation in KMS.
- Symptom: False positive device bans -> Root cause: over-aggressive device posture rules -> Fix: Tune risk thresholds and fallback flows.
- Symptom: Failure during cloud provider rotation -> Root cause: Assumed availability of old keys -> Fix: Use overlapping validity during rotation.
- Symptom: Auditors flag weak MFA -> Root cause: Accepting SMS OTP -> Fix: Move to hardware-backed or app-based OTP.
- Symptom: Secret scanning alerts missed -> Root cause: Lack of CI checks -> Fix: Add pre-commit and pipeline scanning.
- Symptom: Observability blind spots -> Root cause: Not instrumenting token broker -> Fix: Add metrics, traces, and logs.
- Symptom: Overpermissioned keys -> Root cause: Broad role bindings -> Fix: Apply least privilege and scoped keys.
- Symptom: Slow incident response -> Root cause: No joint SRE-security playbook -> Fix: Create integrated runbooks and drills.
- Symptom: Unauthorized device enrollment -> Root cause: Weak enrollment policy -> Fix: Add attestation and approval gating.
- Symptom: TLS client cert expiry -> Root cause: Missing renewal automation -> Fix: Automate cert rotation and alerts.
- Symptom: Key export from device -> Root cause: Use of exportable keys -> Fix: Use hardware non-exportable keys and enforce via attestation.
Observability pitfalls included above: missing metadata, blind spots, noisy alerts, sampling gaps, and lack of long-term retention.
Best Practices & Operating Model
- Ownership and on-call: IAM or security team owns key management; SRE owns availability. Joint on-call for auth outages.
- Runbooks vs playbooks: Runbooks for operational steps; playbooks for cross-team incident coordination.
- Safe deployments: Canary issuance of new CA or key rotation with overlap and feature flags.
- Toil reduction and automation: Automate rotation, provisioning, and recovery; use policy-as-code.
- Security basics: Least privilege, strict logging, non-exportable keys, attestation, and rapid revocation workflows.
Weekly/monthly routines:
- Weekly: Review failed auth spikes, review recent revocations, verify SLI compliance.
- Monthly: Rotate non-critical keys, review device enrollment and posture, audit service account usage.
Postmortem review items related to Something You Have:
- How was possession verified and did it fail?
- Was revocation timely and effective?
- Did backups and recovery function as expected?
- Were there gaps in observability or instrumentation?
- Recommendations for automation and policy changes.
Tooling & Integration Map for Something You Have (TABLE REQUIRED)
| ID | Category | What it does | Key integrations | Notes |
|---|---|---|---|---|
| I1 | KMS / HSM | Stores and signs with keys | IAM, CI/CD, K8s | See details below: I1 |
| I2 | Identity Provider | User and device auth | MFA, UEM, SSO | Supports hardware token policies |
| I3 | Service Mesh | mTLS for services | K8s, SPIFFE, KMS | Terminate mutual TLS inside mesh |
| I4 | UEM | Device enrollment and posture | Identity, TPM, Attestation | Enforces device-based policies |
| I5 | CI/CD | Pipeline signing and auth | KMS, HSM, Artifact repo | Integrate secret-less build flows |
| I6 | SIEM | Log aggregation and detection | Auth services, KMS, HSM | Centralized security alerts |
| I7 | Vault / Secret Store | Dynamic secrets and break-glass | IAM, Audit logs | Use for emergency creds |
| I8 | API Gateway | Client cert and token validation | CA, SIEM, Metrics | Enforce token policies at edge |
| I9 | PKI / CA | Issue certs for clients | K8s, API gateways | Root CA management needed |
| I10 | Monitoring | Metrics and alerting | Auth services, HSM | Critical for SLOs |
Row Details
- I1: KMS/HSM — Use HSM for root key protection and KMS for managed lifecycle; integrate with CI to sign artifacts and with K8s for pod identity.
Frequently Asked Questions (FAQs)
What exactly counts as Something You Have?
Usually a physical token, smartcard, hardware key, or device-protected private key; any credential bound to possession.
Can software tokens be considered Something You Have?
Yes, but software tokens are weaker because they can be copied; hardware-backed keys are stronger.
Is SMS OTP acceptable as possession?
SMS is considered weak and subject to SIM swap; not recommended for high-risk use cases.
How should keys be rotated in production?
Automate rotation with overlapping validity and validate consumers before retiring old keys.
What happens when a user loses their hardware key?
Follow recovery runbook: revoke lost key, issue emergency access with approval, then provision replacement.
How do you detect compromised keys?
Monitor for anomalous usage patterns, geographic anomalies, and unexpected service calls; correlate with SIEM.
What telemetry is essential?
Auth success/failure, provisioning times, revocation events, HSM metrics, and device attestation logs.
Are hardware keys required for all employees?
Depends on risk profile; require for privileged users and offer for others based on threat model.
How does Something You Have fit into zero trust?
It becomes a device factor and a source of attestation used along with risk signals for access decisions.
How long should tokens live?
Short-lived; typical starting points: minutes to hours for high-privilege, hours for services; vary by use case.
Can HSMs be a single point of failure?
Yes; design redundancy and failover and use caching with caution.
How do you avoid losing access during CA rotation?
Use overlapping cert validity, staged rollout, and test in lower environments.
How do you secure software tokens on developer machines?
Use secure enclave, disk encryption, and UEM policies; avoid storing secrets in cleartext.
Should service accounts use hardware-backed keys?
Prefer workload identity and ephemeral tokens; hardware-backed keys for highly sensitive services.
How to handle provisioning at scale?
Automate enrollment, use attestation, and integrate with device management and identity provider.
What audits are necessary?
Record issuance, use, revocation, and recovery actions and retain per compliance requirements.
Can possession-based factors be phished?
Hardware-backed attestation and FIDO2 significantly reduce phishing risk; software tokens can be phished.
How to escalate when auth systems fail?
Page SRE and security; use break-glass runbooks and communicate to stakeholders.
Conclusion
Something You Have is a foundational possession-based factor crucial for secure authentication and authorization in modern cloud-native systems. Proper lifecycle management, observability, and automation turn a possession factor from a risk into a strong control.
Next 7 days plan:
- Day 1: Inventory all high-privilege access points and current possession factors.
- Day 2: Ensure logging of issuance, usage, and revocation events is enabled.
- Day 3: Prototype short-lived token issuance for one non-critical service.
- Day 4: Enroll a pilot group with hardware keys and document UX problems.
- Day 5: Run tabletop for lost-key incident and refine recovery runbook.
Appendix — Something You Have Keyword Cluster (SEO)
- Primary keywords
- Something You Have
- possession-based authentication
- hardware security key
- hardware-backed key
-
device attestation
-
Secondary keywords
- HSM-backed signing
- key management lifecycle
- workload identity federation
- short-lived tokens
-
device-based MFA
-
Long-tail questions
- What is something you have in authentication
- How do hardware security keys work for MFA
- How to manage lost hardware tokens in production
- How to implement key rotation with HSM
-
Best practices for device attestation in zero trust
-
Related terminology
- PKI
- FIDO2
- WebAuthn
- TPM
- secure enclave
- KMS
- mutual TLS
- SPIFFE
- OCSP
- CRL
- certificate authority
- key wrapping
- token exchange
- service account
- ephemeral credentials
- break-glass
- UEM
- device posture
- SIEM
- OpenTelemetry
- Prometheus
- SLO
- SLI
- error budget
- CI/CD signing
- artifact provenance
- enrollment
- revocation
- rotation
- attestation
- non-exportable keys
- exportable keys
- smartcard
- software token
- OTP
- PIN
- TPM-backed key
- hardware token enrollment
- emergency access
- secure boot
- supply chain security
- time-based OTP
- challenge-response
- zero trust device identity