Accelerate NIST compliance with behavioral biometrics

October 17, 2021

The National Institute of Standards and Technology (NIST), formerly the National Bureau of Standards, is a non-regulatory agency of the United States Department of Commerce. Its mission is to promote American innovation and industrial competitiveness. As part of their mission, NIST provides guidance and standards for recommended security controls to federal agencies. As these standards are endorsed by the government, many corporate security teams use NIST guidelines as the baseline when designing security systems.

With the NIST Special publication 800-63 Digital Identity Guidelines and their Cybersecurity frameworks, NIST has created a strong starting point for mitigating identity risk in your organization. The framework integrates industry standards and best practices to help organizations manage cybersecurity risk.

By strengthening NIST guidelines with the latest in behavioral biometrics, organizations can protect digital identity, prevent unauthorized access, detect fraud, and mitigate attacks stemming from 3rd party breaches and other sources of leaked personally identifiable information (PII).

NIST Cybersecurity framework

Behavioral biometrics & NIST Cybersecurity framework

NIST Cybersecurity framework contains five major functions: Identify, Protect, Detect, Respond, and Recover. Behavioral biometrics can be used across these five functions to meet framework requirements, empower risk management decisions and investigations, and unlock new identity value without user friction.


The Identify function assists in developing an organizational understanding to managing cybersecurity risk to systems, people, assets, data, and capabilities. Behavioral biometrics help achieve this by profiling the user and its interactions with an application, service or across an entire access management infrastructure.

Profiling is achieved by having machine learning models analyze and train on traits from behavioral interactions of the user during the normal usage of the service. Successful profiling of a user gives the ability to assess the probability that future interactions from this user really belong to the expected user, or not. Throughout returning visits, the user’s interactions are then compared against their behavioral profile to verify that it is the correct user.

In the case of identity onboarding, without previous behavior to match against, behavioral biometrics can still be used to analyze for high-risk behaviors by comparing new interactions against the population baseline for that onboarding process. This profiling can differentiate genuine vs fraudulent users in how they perform common onboarding flows, as fraudulent users tend to do multiple signups and are more experienced with the application flow, while at the same time they have a lower familiarity with the data they are entering, often stolen PII, compared to genuine users.


The Protect function outlines safeguards to ensure delivery of critical services. The Protect function supports the ability to limit or contain the impact of a cybersecurity event. Behavioral biometrics help achieve this by strengthening access controls so that only authorized individuals can access accounts and services.

After Identity has been established, behavioral biometrics can be used to continuously verify the user, regardless of their location, device, or ability to pass token-based challenges. This is especially important now, when remote work has created opportunities for threats previously mitigated by office buildings physical access controls. Today, family members and friends might have free access to a critical device and knowhow to bypass knowledge and possession challenges. They can, however, not bypass the continuous inherence controls behavioral biometrics enables. So, even if a familiar fraudster has access to the victim’s credentials and push-tokens, they won’t match the genuine user’s behavioral profile, and can thus be detected as they attempt to interact with the victim’s account.


The Detect function defines the appropriate activities to identify the occurrence of a cybersecurity event. Behavioral biometrics help achieve this by providing a new category of real-time intelligence capable of detecting anomalies and cybersecurity events traditional methods often miss.

Behavioral biometrics can be used to detect anomalies caused by various attack vectors such as malware, trojans, remote access tools and social engineering attacks. As these attack vectors will behave distinctly different from the normal user, it becomes elementary for a security system to spot them with behavioral biometrics deployed. All of this is done through transparent behavioral analysis, so end-users can be provided with a seamless experience while security systems are able to continuously monitor interactions and pinpoint issues before they become threats.


The Respond function includes activities to take action regarding a detected incident. Behavioral biometrics can help the Respond function contain the impact of cybersecurity incidents by greatly shortening the time-to-detection.

As behavioral biometrics is able to continuously monitor sessions, it can aid in responding mid-session to mitigate an ongoing attack before any harm is done to the victim or organization. When a behavioral biometrics anomaly is detected, such as signs of fraudulent activity or a user deviating too far from their stored behavioral profile, the security system can take the appropriate action and prompt a step-up or terminate the session completely. As the monitoring is continuous and the detection is near-instant, behavioral biometrics can help ensure that the response process is timely so organizations can contain cybersecurity incidents faster and greatly limit the value at risk.


The Recover function identifies activities to maintain plans for resilience and to restore capabilities or services impaired due to a cybersecurity incident. Behavioral biometrics can support the Recover function to return to normal operations after an incident.

With the investigative capabilities behavioral biometrics technology brings, organizations can examine the events leading up to an incident and faster pinpoint where, when, and how the incident occurred. Behavioral biometrics insights can provide immense value when it comes to investigate incidents, update protection, detection and response plans, and help ensure that the organization can return to normalcy after an attack.


The NIST framework is a great place to start for organizations improving and updating their cybersecurity or identity and access management process.

Advanced technology, like behavioral biometrics, are helpful when organizations want to put NIST recommendations into practice. When it comes to preventing fraud, mitigating account sharing, detecting the latest malware attacks or other digital identity challenges, behavioral biometrics provides a superior method to ensure that people truly are who they claim to be.