- NIST guidelines support limited use of biometrics for authentication and recommend it only be used as part of multi-factor authentication along with a physical authenticator. Biometrics have limitations including probabilistic matching and inability to easily revoke templates. - When biometrics are used, NIST requires a false match rate of 1 in 1000 or better, implementation of liveness detection, and preference for local rather than central matching to mitigate attacks. - For AAL2 authentication on mobile, NIST recommends using multi-factor cryptographic software authenticators activated by a second factor like biometrics. Examples include FIDO protocols and Android's CryptoObject for authenticating to remote servers. - Behavioral biometrics analyzing user