Merge pull request #95604 from RavennMSFT/patch-22

PRMerger8 · web-flow · commit c59d6bd4ba49 · 2019-11-11T23:09:43.000-08:00
Update access-tokens.md
diff --git a/articles/active-directory/develop/access-tokens.md b/articles/active-directory/develop/access-tokens.md
@@ -260,9 +260,9 @@ Refresh tokens can be invalidated or revoked at any time, for different reasons.
 | [Single sign-out](v1-protocols-openid-connect-code.md#single-sign-out) on web | Revoked | Stays alive | Revoked | Stays alive | Stays alive |
 
 > [!NOTE]
-> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO key, or a PIN.
+> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO2 key, or a PIN.
 >
-> A known issue exists with the Windows Primary Refresh Token. If the PRT is obtained via a password, and then the user logs in via Hello, this does not change the origination of the PRT, and it will be revoked if the user changes their password.
+> Primary Refresh Tokens (PRT) on Windows 10 are segregated based on the credential. For example, Windows Hello and password have their respective PRTs, isolated from one another. When a user signs-in with a Hello credential (PIN or biometrics) and then changes the password, the password based PRT obtained previously will be revoked. Signing back in with a password invalidates the old PRT and requests a new one.
 >
 > Refresh tokens aren't invalidated or revoked when used to fetch a new access token and refresh token.  
 

Original file line number	Diff line number	Diff line change
`@@ -260,9 +260,9 @@ Refresh tokens can be invalidated or revoked at any time, for different reasons.`
`260`	`260`	`\| [Single sign-out](v1-protocols-openid-connect-code.md#single-sign-out) on web \| Revoked \| Stays alive \| Revoked \| Stays alive \| Stays alive \|`
`261`	`261`
`262`	`262`	`> [!NOTE]`
`263`		`-> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO key, or a PIN.`
	`263`	`+> A "Non-password based" login is one where the user didn't type in a password to get it. For example, using your face with Windows Hello, a FIDO2 key, or a PIN.`
`264`	`264`	`>`
`265`		`-> A known issue exists with the Windows Primary Refresh Token. If the PRT is obtained via a password, and then the user logs in via Hello, this does not change the origination of the PRT, and it will be revoked if the user changes their password.`
	`265`	`+> Primary Refresh Tokens (PRT) on Windows 10 are segregated based on the credential. For example, Windows Hello and password have their respective PRTs, isolated from one another. When a user signs-in with a Hello credential (PIN or biometrics) and then changes the password, the password based PRT obtained previously will be revoked. Signing back in with a password invalidates the old PRT and requests a new one.`
`266`	`266`	`>`
`267`	`267`	`> Refresh tokens aren't invalidated or revoked when used to fetch a new access token and refresh token.`
`268`	`268`