Biometric Sign-In Support

Software Support
: Starting with GlobalProtect™ app 5.1 with PAN-OS 9.1
OS Support
: Fingerprint support on Windows, macOS, iOS, and Android; Face ID support on iOS X and later releases only
For enhanced usability, GlobalProtect now supports biometric sign-in. When biometric sign-on is enabled on an endpoint, end users must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways. On iOS X, GlobalProtect also supports facial recognition with Face ID. GlobalProtect does not store the fingerprint or facial template used for authentication, but relies on the operating system scanning capabilities to determine the validity of a scan match.
GlobalProtect with biometric authentication supports authentication features as follows:
Connect Method
On-demand only. If Always On and biometric sign-in are both enabled, GlobalProtect falls back to using
Save Username Only
where the user must supply a password to log in.
Authentication Cookies
Supported with biometric sign-in. When a valid authentication cookie is present, GlobalProtect does not prompt the user to sign-in with a fingerprint (or Face ID).
Not supported with biometric sign-in.
Multi-factor Authentication (MFA)
When users who have set up authentication using a fingerprint or face ID first log in to GlobalProtect, they are prompted to enter their password once to save it and again to authenticate (on Android devices, these steps are consolidated and users only need to enter their password one time). If a user later enables biometric authentication, they can open the GlobalProtect app and enable fingerprint authentication on the
If you change a fingerprint, GlobalProtect seamlessly uses the updated fingerprint template to allow authentication. On Android devices, however, users must reenter their password when the fingerprint template changes.
  1. On the firewall configured to act as the GlobalProtect portal, select the relevant app configuration.
  2. Set
    Save User Credentials
    Only with User Fingerprint
    to enable biometric sign-on.
    To enable biometric sign-on, configure
    Save User Credentials
    Only with User Fingerprint
    in the
    configuration of your GlobalProtect portal. This enables GlobalProtect to leverage the operating system capabilities for validating the user before allowing authentication with GlobalProtect.
  3. Click
  4. Commit the configuration.

Recommended For You