Hardware reference guide
GlobalProtect Administrator’s Guide 23
Set Up the GlobalProtect Infrastructure Set Up GlobalProtect User Authentication
Set up Two-Factor Authentication
If you require strong authentication in order to protect your sensitive resources and/or comply with regulatory
requirements—such as PCI, SDX, or HIPAA—configure GlobalProtect to use an authentication service that
uses a two-factor authentication scheme such as one-time passwords (OTPs), tokens, smart cards, or a
combination of external authentication and client certificate authentication. A two-factor authentication scheme
requires two things: something the end user knows (such as a PIN or password) and something the end user has
(a hardware or software token/OTP, smart card, or certificate).
The following sections provide examples for how to set up two-factor authentication on GlobalProtect:
Enable Two-Factor Authentication
Enable Two-Factor Authentication Using One-Time Passwords (OTPs)
Enable Two-Factor Authentication Using Smart Cards
Enable Two-Factor Authentication
The following workflow shows how to configure GlobalProtect client authentication requiring the user to
authenticate both to a certificate profile and an authentication profile. The user must successfully authenticate
using both methods in order to connect to the portal/gateway. For more details on this configuration, see
Remote Access VPN with Two-Factor Authentication.