Overview#

Proof-of-Possession (PoP) is an assertion where the presenter presents some Cryptographic Key, Security Token or Secret

Proof-of-Possession implies a Possession Factor as used to Authenticate and often used in Multi-Factor Authentication

Proof-of-Possession refers to Cryptographic methods that mitigate the risk of Security Tokens being stolen and used by an attacker. In contrast to 'Bearer Tokens', where mere possession of the Security Token allows the attacker to use it, a PoP Security Token cannot be so easily used - the attacker MUST have both the token itself and access to some key associated with the token (which is why they are sometimes referred to 'Holder-of-Key' (HoK) tokens).

PoP describes a general security characteristic of a Secret - there are different ways to achieve that characteristic.

• Token Binding Protocol
• Token Binding over HTTP
• A Proof-of-Possession Token as the Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
• Demonstration of Proof-of-Possession (DPoP)
• SAML Holder of Key

More Information#

There might be more information for this subject on one of the following:

• Authentication Method Reference Values
• Authenticator Assurance Levels
• Credential
• Data Accuracy
• Demonstration of Proof-of-Possession
• Derived Credential
• Holder-of-Key
• Hwk
• LOA 3
• LOA 4
• M-04-04 Level of Assurance (LOA)
• OAuth 2.0 Demonstration of Proof-of-Possession at the Application Layer
• OAuth 2.0 Proof-of-Possession (PoP) Security Architecture
• POP
• PoP
• Proof Key for Code Exchange by OAuth Public Clients
• Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)
• Sender Constrained Token
• Swk
• Token Binding Protocol

---

• [#1] - New Standards Emerging for HoK Tokens - based on information obtained 2015-05-02
• [#2] - Proof of Possession Models - based on information obtained 2019-05-25