Biometric Sign-In Support

Software Support
: Starting with GlobalProtect™ app 5.1 with PAN-OS 9.1
OS Support
: Fingerprint support on Windows, macOS, iOS, and Android; Face ID support on iOS X and later releases only
For enhanced usability, GlobalProtect now supports biometric sign-in. When biometric sign-on is enabled on an endpoint, end users must supply a fingerprint that matches a trusted fingerprint template on the endpoint to use a saved password for authentication to GlobalProtect portal and gateways. On iOS X, GlobalProtect also supports facial recognition with Face ID. GlobalProtect does not store the fingerprint or facial template used for authentication, but relies on the operating system scanning capabilities to determine the validity of a scan match.
GlobalProtect with biometric authentication supports authentication features as follows:
Feature
Support
Connect Method
On-demand only. If Always On and biometric sign-in are both enabled, GlobalProtect falls back to using
Save Username Only
where the user must supply a password to log in.
Authentication Cookies
Supported with biometric sign-in. When a valid authentication cookie is present, GlobalProtect does not prompt the user to sign-in with a fingerprint (or Face ID).
SAML
Not supported with biometric sign-in.
Multi-factor Authentication (MFA)
Supported
When users who have set up authentication using a fingerprint or face ID first log in to GlobalProtect, they are prompted to enter their password once to save it and again to authenticate (on Android devices, these steps are consolidated and users only need to enter their password one time). If a user later enables biometric authentication, they can open the GlobalProtect app and enable fingerprint authentication on the
General
tab.
If you change a fingerprint, GlobalProtect seamlessly uses the updated fingerprint template to allow authentication. On Android devices, however, users must reenter their password when the fingerprint template changes.
  1. On the firewall configured to act as the GlobalProtect portal, select the relevant app configuration.
    Select
    Network
    GlobalProtect
    Portals
    <portal-config>
    Agent
    <agent-config>
    Authentication
    .
  2. Set
    Save User Credentials
    to
    Only with User Fingerprint
    to enable biometric sign-on.
    To enable biometric sign-on, configure
    Save User Credentials
    as
    Only with User Fingerprint
    in the
    App
    configuration of your GlobalProtect portal. This enables GlobalProtect to leverage the operating system capabilities for validating the user before allowing authentication with GlobalProtect.
  3. Click
    OK
    .
  4. Commit the configuration.

Recommended For You