GlobalProtect™ App New Features Guide
  • GlobalProtect™ App New Features Guide
  • GlobalProtect Documentation
  • All Documentation
>
Biometric Sign-In Support
Focus
Download PDF
Focus
  1. Home
  2. GlobalProtect
  3. New Features Released in GlobalProtect App 5.1
  4. Biometric Sign-In Support
Download PDF
GlobalProtect

Biometric Sign-In Support

Table of Contents

Biometric Sign-In Support

Software Support: Starting with GlobalProtect™ app 5.1 with PAN-OS 9.1
OS Support: Fingerprint support on Windows, macOS, iOS, and Android; Face ID support on iOS X and later releases only
For enhanced usability, GlobalProtect now supports biometric sign-in. When biometric sign-on is enabled on an endpoint, end users must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways. On iOS X, GlobalProtect also supports facial recognition with Face ID. GlobalProtect does not store the fingerprint or facial template used for authentication, but relies on the operating system scanning capabilities to determine the validity of a scan match.
GlobalProtect with biometric authentication supports authentication features as follows:
FeatureSupport
Connect Method On-demand only. If Always On and biometric sign-in are both enabled, GlobalProtect falls back to using Save Username Only where the user must supply a password to log in.
Authentication CookiesSupported with biometric sign-in. When a valid authentication cookie is present, GlobalProtect does not prompt the user to sign-in with a fingerprint (or Face ID).
SAMLNot supported with biometric sign-in.
Multi-factor Authentication (MFA)Supported
When users who have set up authentication using a fingerprint or face ID first log in to GlobalProtect, they are prompted to enter their password once to save it and again to authenticate (on Android devices, these steps are consolidated and users only need to enter their password one time). If a user later enables biometric authentication, they can open the GlobalProtect app and enable fingerprint authentication on the General tab.
If you change a fingerprint, GlobalProtect seamlessly uses the updated fingerprint template to allow authentication. On Android devices, however, users must reenter their password when the fingerprint template changes.
  1. On the firewall configured to act as the GlobalProtect portal, select the relevant app configuration.
    Select NetworkGlobalProtectPortals<portal-config>Agent<agent-config>Authentication.
  2. Set Save User Credentials to Only with User Fingerprint to enable biometric sign-on.
    To enable biometric sign-on, configure Save User Credentials as Only with User Fingerprint in the App configuration of your GlobalProtect portal. This enables GlobalProtect to leverage the operating system capabilities for validating the user before allowing authentication with GlobalProtect.
  3. Click OK.
  4. Commit the configuration.

Technical Documentation

Company

Legal Notices

© 2025 Palo Alto Networks, Inc. All rights reserved.