YinkoShield
Brief

Knowledge Center / Checkpoint architectures / checkpoint architectures · 2025·12

Behavioural biometrics — observation scope and accuracy bounds

Behavioural biometrics analyse a session: keystroke dynamics, gesture rhythm, navigation cadence, device-handling micro-motion. The output is a probabilistic statement about how well the session matches a learned per-user baseline. NIST SP 800-63B Rev. 3 [1] does not recognise biometrics as a stand-alone authenticator and treats behavioural signals as continuous-risk inputs rather than a discrete authenticator type; ISO/IEC 19989-1 [2] specifies the evaluation methodology. The EBA's June 2019 Opinion [4] sets the conditions under which behavioural patterns may contribute to inherence under PSD2. This page describes the substrate's actual scope — collection, aggregation, scoring, decay — and the accuracy bounds vendors publish.

[ behavioural biometrics — analytics pipeline ] 1 · collect keystroke timing gesture rhythm navigation cadence handling micromotion 2 · aggregate over session window opens at login / unlock closes at logout / idle decay 3 · score delta vs learned baseline probability / confidence value scoped to session 4 · decay over idle recovers with new observations score = property of the session window probabilistic statement that the session looks like the learned user not a cryptographic signature over a specific transaction body
Behavioural biometrics is a four-stage pipeline: collect, aggregate over a session window, score against a learned baseline, decay over idle. The output is a session-scoped probability, not a per-transaction signature.

1. Where it sits in the standards taxonomy

NIST SP 800-63B Rev. 3 §5.2.3 [1] does not recognise biometrics as a stand-alone authenticator and does not define a “passive factor category”; behavioural signals are treated as continuous- risk inputs to a broader authentication decision rather than as a discrete authenticator type. The relevant operational stance: behavioural biometrics inform risk; they do not satisfy the authenticator obligation on their own.

ISO/IEC 19989-1 [2], building on ISO/IEC 19792 [3], specifies the security-evaluation methodology for biometric systems generally. For behavioural biometrics specifically, the methodology covers:

  • the feature extraction pipeline,
  • the matching algorithm,
  • the false-match-rate (FMR) and false-non-match-rate (FNMR) at defined operating points,
  • the population over which those rates were measured,
  • the resilience to presentation attacks.

The EBA’s June 2019 Opinion on the elements of strong customer authentication under PSD2 [4] sets the regulatory conditions under which behavioural patterns may contribute to the inherence element under the PSD2 RTS — including non-replication, distinctness, and how the operator demonstrates compliance. The accuracy claims a behavioural-biometrics vendor publishes — when they publish them — should be readable within these frameworks.

2. What is collected

Pure behavioural-biometrics vendors — among them BioCatch, Callsign, BehavioSec (now part of LexisNexis Risk Solutions), TypingDNA, Zighra — collect a relatively consistent set of feature classes. (Adjacent fraud-analytics platforms such as Featurespace, NICE Actimize, and Outseer consume some of the same session signals but combine them with transaction history; they are not behavioural-biometrics vendors in the same sense.)

  • Keystroke dynamics. Inter-key timing distributions, dwell time, flight time. (Key-press pressure is rarely available in 2026 — Apple discontinued 3D Touch from iPhone 11 (2019) onward, and Android’s MotionEvent.getPressure() is sensor-dependent and frequently normalised.)
  • Gesture rhythm. Touchscreen swipe trajectories, tap frequency, scroll velocity profiles.
  • Navigation cadence. Time spent per screen, navigation ordering, abandonment patterns.
  • Device-handling micro-motion. Accelerometer / gyroscope signals correlated with screen interaction — how the device is held, how it tilts when typing.
  • Session-shape signals. Use of paste vs typing, copy-paste origin, autofill behaviour, switching between apps.

The features are collected client-side via an SDK or web tag and forwarded to the vendor’s analytics infrastructure or, in deployment patterns that prioritise data residency, an operator-hosted instance of the vendor’s pipeline.

3. Aggregate, score, decay

The pipeline downstream of collection has three stages:

  • Aggregate over a session window. A session opens at app launch / login / unlock and closes at logout / idle timeout beyond the vendor’s configured threshold. The features collected within the window are aggregated into a per-session feature vector.
  • Score against a learned baseline. A per-user model — trained over several prior sessions — produces a similarity score, a probability, or a delta from the baseline. The form depends on the vendor; the meaning is consistent: how well does this session match what we have learned about this user?
  • Decay with idle, recover with observation. When the user is idle, the score’s confidence decays on a vendor-defined curve. New observations restore confidence as the system collects more features.

The output is a session-scoped probability, refreshed continuously while the user is active. Operators consume this as a risk-tier input: high confidence permits frictionless action, low confidence triggers step-up authentication, persistently low confidence escalates to fraud review.

4. Where the substrate composes

Behavioural biometrics is a strong signal for one specific problem: detecting that a different human is interacting with the device than the human the system has learned. It is reliably better than static factors at catching account takeover by a different physical user on the same device, and it does so continuously, without prompting the user.

What the substrate does not do is sign a specific transaction. The score is a property of the session window the analytics observed, not a cryptographic signature over a transaction body. It composes naturally with substrates that do sign transactions or sign events: an operator using FIDO2 for authentication, EMV for the rail, behavioural biometrics for session-shape risk, and Execution Evidence Infrastructure (EEI) — the device-identity infrastructure layer for banking and payments — for signed device-side observations has four distinct guarantees, none redundant, none substitutable. Where the session-window boundary becomes load-bearing in a payment flow is the subject of the the-behavioural-session-gap article in the prior theme.

5. Cross-references

6. External references

[1] National Institute of Standards and Technology. SP 800-63B Rev. 3 — Digital Identity Guidelines: Authentication and Lifecycle Management. pages.nist.gov/800-63-3/sp800-63b.html. Cited 2025-12-01.

[2] International Organization for Standardization. ISO/IEC 19989-1:2020 — Information security — Criteria and methodology for security evaluation of biometric systems. www.iso.org/standard/72402.html. Cited 2025-12-01.

[3] International Organization for Standardization. ISO/IEC 19792:2009 — Information technology — Security techniques — Security evaluation of biometrics. www.iso.org/standard/51521.html. Cited 2025-12-01.

[4] European Banking Authority. Opinion of the European Banking Authority on the elements of strong customer authentication under PSD2. June 2019. eba.europa.eu/sites/default/files/documents/10180/2622242/4bf4e536-69a5-44a5-a685-de42e292ef78/EBA Opinion on SCA elements under PSD2.pdf. Cited 2025-12-01.