: Starting with GlobalProtect™
app 5.1 with PAN-OS 9.1
OS Support
: Fingerprint support
on Windows, macOS, iOS, and Android; Face ID support on iOS X and
later releases only
For enhanced usability, GlobalProtect
now supports biometric sign-in. When biometric sign-on is enabled
on an endpoint, end users must supply a fingerprint that matches
a trusted fingerprint template on the endpoint to use a saved password
for authentication to GlobalProtect portal and gateways. On iOS
X, GlobalProtect also supports facial recognition with Face ID.
GlobalProtect does not store the fingerprint or facial template
used for authentication, but relies on the operating system scanning
capabilities to determine the validity of a scan match.
GlobalProtect
with biometric authentication supports authentication features as
follows:
Feature
Support
Connect Method
On-demand only. If Always On and biometric
sign-in are both enabled, GlobalProtect falls back to using
Save
Username Only
where the user must supply a password
to log in.
Authentication Cookies
Supported with biometric sign-in. When a valid
authentication cookie is present, GlobalProtect does not prompt
the user to sign-in with a fingerprint (or Face ID).
SAML
Not supported with biometric sign-in.
Multi-factor Authentication (MFA)
Supported
When users who have set up authentication using
a fingerprint or face ID first log in to GlobalProtect, they are
prompted to enter their password once to save it and again to authenticate
(on Android devices, these steps are consolidated and users only
need to enter their password one time). If a user later enables
biometric authentication, they can open the GlobalProtect app and
enable fingerprint authentication on the
General
tab.
If
you change a fingerprint, GlobalProtect seamlessly uses the updated
fingerprint template to allow authentication. On Android devices,
however, users must reenter their password when the fingerprint
template changes.
On the firewall configured to act as the GlobalProtect
portal, select the relevant app configuration.
Select
Network
GlobalProtect
Portals
<portal-config>
Agent
<agent-config>
Authentication
.
Set
Save User Credentials
to
Only
with User Fingerprint
to enable biometric sign-on.
To enable biometric sign-on, configure
Save
User Credentials
as
Only with User Fingerprint
in
the
App
configuration of your GlobalProtect
portal. This enables GlobalProtect to leverage the operating system
capabilities for validating the user before allowing authentication
with GlobalProtect.