Currently, users configured for smart card authentication must rely solely on their PIV card to access GlobalProtect, potentially blocking access if the physical card is unavailable or forgotten. This dependency caused connectivity disruption, especially for endpoints running Windows or macOS in On-demand operational modes.

To ensure continuous connectivity and user flexibility, GlobalProtect® now provides end users with resilience through flexible authentication profiles. When smart card authentication is enabled, the GlobalProtect app automatically displays two distinct profile options: one profile optimized for smart card login and a second profile for traditional username and password credentials. This key feature allows end users to immediately choose their preferred authentication method directly from the app's portal drop-down menu. This ensures that secure access remains consistently possible even if they forget their physical PIV card or encounter smart card reader issues, significantly improving the reliability of user access without compromising security protocols.

The smart card authentication fallback will happen only if you have selected the Allow Authentication with User Credentials OR Client Certificate option while configuring the GlobalProtect gateway and portal. This option defines whether users can authenticate to the portal or gateway using credentials and/or client certificates.

For Windows endpoints, you can predeploy the customized Windows Registry key values for the profile options <PIV> and <NO PIV>.