NIST’s updated Digital Identity Guidelines to Revision 4 (SP 800-63B-4) and added Section 5.3 Session Monitoring (also called continuous authentication). The section recognizes continuous, in-session evaluation of user and device signals to catch fraud after login. When risk is detected, relying parties should coordinate with their identity provider to take action. Typical actions are to terminate the session, reauthenticate the user, or notify support. The section lists example signals such as behavioral biometrics like typing cadence, device or browser traits, geolocation, and IP risk. NIST also asks organizations to cover related data collection and processing in their privacy risk assessment.
While not yet mandatory, these measures are especially important for remote employees, who face a higher risk of unauthorized use of the computers entrusted to them.
What Section 5.3 says in one slide
- Definition: Session monitoring means ongoing evaluation of session characteristics to detect possible identity fraud during a live session.
- Actions on risk: Reauthenticate, end the session, or notify support, preferably in coordination with the IdP.
- Signals: Usage patterns and behavioral biometrics such as typing cadence, as well as other weaker signals (browser traits, geolocation, and IP reputation) can be used.
- Governance: Include collection, processing, and retention in your privacy risk assessment.
How ActiveLock maps to Section 5.3 today
Continuous checks with immediate enforcement. ActiveLock runs on Windows and macOS endpoints and continuously verifies the current user primarly based on their typing behavior. If an unauthorized user is detected, the device locks immediately. This is a direct implementation of “take action during the session.”
Behavioral and interaction signals. ActiveLock evaluates typing cadence continuously and also considers mouse interaction in its rapid detection layer. Version 3.5 “Fortress” introduced a two-layer engine. A short-window detector (about 50 keystrokes plus mouse cues) can prompt a step-up, and a longer check provides higher confidence. The goal is to reduce the impostor window to well under 100 characters in typical cases. The step up can also use passive face recognition to confirm an authorized user or quickly take action otherwise.
Operational visibility and coordinated responses. In addition to locking the computer screen (if an unauthorised user is detected), ActiveLock can also revoke IAM sessions as follows: ActiveLock Enterprise ship logs to Datadog, Splunk, Microsoft Sentinel, Grafana/Loki, and other aggregators. A monitor can be set up in these plaforms to watch out for “lock” action events and instantly revoke the user’s active sessions. The next user action then prompts for reauthentication by design. This connects endpoint risk to identity control without rebuilding your login flow.
Privacy by design. ActiveLock analyzes how a user types right on their computers, the biometric data collected and processed never leaves user’s device. This simplifies your privacy risk assessment.
How to roll this in, step by step
- Start where risk is highest. Begin with endpoints that handle sensitive data or privileged access. Use a simple “lock” and “log” policy for a quick pilot.
- Set up session revocation flow. Stream ActiveLock events to Datadog or your preferred log aggregator/SIEM. Create monitors that trigger IAM session revocation on “lock” events so a compromised user cannot roam across applications without reauthentication.
- Document privacy. List monitored signals, purpose, retention, and user notices in your privacy risk assessment. Align with internal privacy and security policies.
- Tune by role. Start with medium security level, but use stricter security levels for admins and finance if needed.
Why teams choose ActiveLock for Section 5.3
- Aligns with the exact signal types NIST lists, including typing cadence, and takes real-time action directly on the device.
- Delivers fast detection with minimal friction. The dual-layer engine in ActiveLock version 3.5 shortens the detection window while keeping users productive.
- Simple to operationalize. Provides built-in logging, ready-to-use dashboards, and straightforward integration with SIEM and IAM automation.
- Privacy-first approach. Focuses on behavioral patterns rather than typed content, supporting clear documentation for privacy reviews.
- Reduces overlooked endpoint risk. Adds a layer of protection against unauthorized use of company computers, especially valuable for remote employees scenarios, and gives CISOs confidence their teams are covered.
Quick FAQs
Does session monitoring change my AAL?
No. Session monitoring reduces risk during the session. It does not replace authenticators and it does not change the AAL on its own.
Do I need to involve my IdP?
Not really. Most IAMs /IdPs have API based methods available that allow you to revoke sessions on a “lock” event, through simple automations. The next action requires reauthentication by design.
What about user privacy?
Document the signals, purposes, retention, and notices in your privacy risk assessment. ActiveLock footprint is minimal, all biometric data is collected and processed only on user’s PC, keeping your privacy risk minimal.
Put Section 5.3 session monitoring into practice
Contact us to start a pilot or to explore how ActiveLock can help you meet your session monitoring goals in compliance with NIST SP 800-63B Rev 4, Section 5.3.