GlobalProtect
Biometric Sign-In Support
Table of Contents
Biometric Sign-In Support
Software Support: Starting with GlobalProtect™
app 5.1 with PAN-OS 9.1
OS Support: Fingerprint support
on Windows, macOS, iOS, and Android; Face ID support on iOS X and
later releases only
For enhanced usability, GlobalProtect
now supports biometric sign-in. When biometric sign-on is enabled
on an endpoint, end users must supply a fingerprint that matches
a trusted fingerprint template on the endpoint to use a saved password
for authentication to GlobalProtect portal and gateways. On iOS
X, GlobalProtect also supports facial recognition with Face ID.
GlobalProtect does not store the fingerprint or facial template
used for authentication, but relies on the operating system scanning
capabilities to determine the validity of a scan match.
GlobalProtect
with biometric authentication supports authentication features as
follows:
| Feature | Support |
|---|---|
| Connect Method | On-demand only. If Always On and biometric sign-in are both enabled, GlobalProtect falls back to using Save Username Only where the user must supply a password to log in. |
| Authentication Cookies | Supported with biometric sign-in. When a valid authentication cookie is present, GlobalProtect does not prompt the user to sign-in with a fingerprint (or Face ID). |
| SAML | Not supported with biometric sign-in. |
| Multi-factor Authentication (MFA) | Supported |
When users who have set up authentication using
a fingerprint or face ID first log in to GlobalProtect, they are
prompted to enter their password once to save it and again to authenticate
(on Android devices, these steps are consolidated and users only
need to enter their password one time). If a user later enables
biometric authentication, they can open the GlobalProtect app and
enable fingerprint authentication on the General tab.
If
you change a fingerprint, GlobalProtect seamlessly uses the updated
fingerprint template to allow authentication. On Android devices,
however, users must reenter their password when the fingerprint
template changes.
- On the firewall configured to act as the GlobalProtect
portal, select the relevant app configuration.Select .
- Set Save User Credentials to Only
with User Fingerprint to enable biometric sign-on. To enable biometric sign-on, configure Save User Credentials as Only with User Fingerprint in the App configuration of your GlobalProtect portal. This enables GlobalProtect to leverage the operating system capabilities for validating the user before allowing authentication with GlobalProtect.
![]()
- Click OK.
- Commit the configuration.
