From aaf7538ac22c4ab61808cb97768807101d91c011 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Jun 2020 12:04:49 -0700 Subject: [PATCH 1/4] WHFB iris info to Identity --- devices/hololens/hololens-identity.md | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 08af92c386..247c49ca71 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -96,6 +96,14 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported > [!NOTE] > Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). +#### How are Windows Hello for Business Iris scans are supported on HoloLens? + +Iris is implemented the same way as other Windows Hello technologies and hit 1/100K FAR. Useful resources about biometric requirements for Windows Hello. + +- [Biometrics Requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) + +Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification). + #### Does the type of account change the sign-in behavior? Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: From b0295087e5b8f91e339cac8466317851172bfd3f Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Thu, 18 Jun 2020 13:15:29 -0700 Subject: [PATCH 2/4] edits from Yannis --- devices/hololens/hololens-identity.md | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 247c49ca71..f4439c05e1 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -96,13 +96,11 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported > [!NOTE] > Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). -#### How are Windows Hello for Business Iris scans are supported on HoloLens? +### How is Iris biometric authentication implemented? -Iris is implemented the same way as other Windows Hello technologies and hit 1/100K FAR. Useful resources about biometric requirements for Windows Hello. +HoloLens 2 supports Iris authentication. Iris is implemented based on Windows Hello technology. Iris is implemented the same way as other Windows Hello technologies and hit 1/100K FAR. -- [Biometrics Requirements](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements) - -Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification). +You can learn more about biometric requirements and specifications for Windows Hello [here](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification). #### Does the type of account change the sign-in behavior? From d6a18b69945b782bedc933a897da362b17f71ab8 Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 22 Jun 2020 11:16:38 -0700 Subject: [PATCH 3/4] Clarify Iris and 1stgen There are a few areas that refence 1st gen and so those areas are now pointed out. Also Iris language was tweaked. --- devices/hololens/hololens-identity.md | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index f4439c05e1..455a38e93a 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -85,9 +85,9 @@ One way in which developing for HoloLens differs from developing for Desktop is ## Frequently asked questions -### Is Windows Hello for Business supported on HoloLens? +### Is Windows Hello for Business supported on HoloLens (1st Gen)? -Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens. To allow Windows Hello for Business PIN sign-in on HoloLens: +Windows Hello for Business (which supports using a PIN to sign in) is supported for HoloLens (1st Gen). To allow Windows Hello for Business PIN sign-in on HoloLens: 1. The HoloLens device must be [managed by MDM](hololens-enroll-mdm.md). 1. You must enable Windows Hello for Business for the device. ([See instructions for Microsoft Intune.](https://docs.microsoft.com/intune/windows-hello)) @@ -96,19 +96,19 @@ Windows Hello for Business (which supports using a PIN to sign in) is supported > [!NOTE] > Users who sign in by using a Microsoft account can also set up a PIN in **Settings** > **Sign-in Options** > **Add PIN**. This PIN is associated with [Windows Hello](https://support.microsoft.com/help/17215/windows-10-what-is-hello), rather than [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-overview). -### How is Iris biometric authentication implemented? +### How is Iris biometric authentication implemented on HoloLens 2? -HoloLens 2 supports Iris authentication. Iris is implemented based on Windows Hello technology. Iris is implemented the same way as other Windows Hello technologies and hit 1/100K FAR. +HoloLens 2 supports Iris authentication. Iris is based on Windows Hello technology and is supported for use by both Azure Active Directory and Microsoft Accounts. Iris is implemented the same way as other Windows Hello technologies, and achieves biometrics security FAR of 1/100K. You can learn more about biometric requirements and specifications for Windows Hello [here](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello-biometric-requirements). Learn more about [Windows Hello](https://docs.microsoft.com/windows-hardware/design/device-experiences/windows-hello) and [Windows Hello for Business](https://docs.microsoft.com/windows/security/identity-protection/hello-for-business/hello-identity-verification). -#### Does the type of account change the sign-in behavior? +### How does the type of account affect sign-in behavior? Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: -- **Microsoft account**: signs in automatically -- **Local account**: always asks for password, not configurable in **Settings** -- **Azure AD**: asks for password by default, and configurable by **Settings** to no longer ask for password. +- **Microsoft account**: lock behavior is different allowing automatic unlock, however sign in authentication is still required on reboot. +- **Local account**: always asks for authentication in the form of a password, not configurable in **Settings** +- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication. > [!NOTE] > Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy. From 519c7c5fd5d9186e2781d5877866203aef1011de Mon Sep 17 00:00:00 2001 From: Evan Miller Date: Mon, 22 Jun 2020 12:56:03 -0700 Subject: [PATCH 4/4] updates per yannisle feedback We should remove the entire first sentence. "yes, the...." Let's place AAD first as we are pushing customers to use AADJ :) --- devices/hololens/hololens-identity.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/devices/hololens/hololens-identity.md b/devices/hololens/hololens-identity.md index 455a38e93a..e37c3e14ec 100644 --- a/devices/hololens/hololens-identity.md +++ b/devices/hololens/hololens-identity.md @@ -104,11 +104,11 @@ You can learn more about biometric requirements and specifications for Windows H ### How does the type of account affect sign-in behavior? -Yes, the behavior for the type of account affects the sign-in behavior. If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: +If you apply policies for sign-in, the policy is always respected. If no policy for sign-in is applied, these are the default behaviors for each account type: +- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication. - **Microsoft account**: lock behavior is different allowing automatic unlock, however sign in authentication is still required on reboot. - **Local account**: always asks for authentication in the form of a password, not configurable in **Settings** -- **Azure AD**: asks for authentication by default, and configurable by **Settings** to no longer ask for authentication. > [!NOTE] > Inactivity timers are currently not supported, which means that the **AllowIdleReturnWithoutPassword** policy is only respected when the device goes into StandBy.