Windows logon, re-engineered

Identity at the workstation, not at the password field.

CodeB replaces password-based Windows logon with a hardened credential provider that accepts NFC cards, TOTP codes and PKI smartcards — plus USB memory sticks for quick evaluations — from Windows 8 through Server 2025, on local, Active Directory and Entra ID accounts, running fully on-premises with no cloud or internet connection required. Air-gap deployable.

Explore products Request evaluation

Why CodeB exists

Four problems that won't wait for a cloud-only migration.

Most identity vendors assume a greenfield Entra ID environment. Regulated organisations rarely have that luxury. CodeB is built for the parts of your environment that still run Windows logon — and have to keep running it, securely. We have been doing exactly this for over twenty years; CP V2 is the modern evolution of Aloaha Smartlogin, the credential provider Aloaha has built and supported since the early 2000s.

01 / Legacy systems

Hardening logon on Windows you can't replace this quarter.

Shared workstations, kiosks, manufacturing terminals and clinical PCs still rely on Windows accounts. CodeB layers strong authentication over the existing Windows credential model — without rewriting the desktop.

02 / Compliance pressure

Per-user attribution — even for the shared accounts you can’t retire.

NIS2, DORA, the EU AI Act and sector-specific rules demand strong, attributable logon. Most companies cannot simply retire their historically-grown shared accounts. CodeB layers per-user authentication and auditing on top of those accounts, so every action remains attributable to a real person and your auditors get the evidence they recognise.

03 / Operator friction

Clinicians, operators and shop-floor staff need fast sign-in.

A nurse logging into a roving terminal cannot type a 16-character password fifty times a shift. Tap-and-go NFC and TOTP restore sub-second logon without trading away security.

04 / Digital sovereignty

No cloud required. No internet required. Works air-gapped.

CodeB runs entirely on your own infrastructure. The product never requires a cloud or internet connection to function. It deploys and runs on fully air-gapped defence networks, clinical OT segments and jurisdictions where data cannot leave the country.

Where it runs

Built for environments that don't get a do-over.

Selected deployments where Windows authentication is operationally critical and where regulators look closely at how identity is enforced at the endpoint.

Healthcare

Hospitals and clinics using shared workstations, contactless staff cards and roaming clinical sessions across wards.

NFC · PKI · roaming sessions

Manufacturing

Shop-floor terminals, MES stations and engineering workstations needing fast, attributable shift logon.

MES · OT · shift workers

Regulated offices

Finance, legal, public sector and defence supply chains under NIS2, DORA or national eIDAS rules.

NIS2 · DORA · eIDAS

Flagship · Credential Provider V2

One credential provider. Every common workstation token.

The CodeB Credential Provider V2 is a fully managed .NET implementation of Microsoft's ICredentialProviderCredential2 interface. It ships with a built-in Credential Provider Filter so you can retire the password tile and force strong logon, even in Safe Mode.

Local, Active Directory and Entra ID account support, including RDP smartcard forwarding.
Standalone or domain-joined; works on every Windows edition from Windows 8 through Server.
Plugin architecture — you can extend it with your own login token or authorisation workflow.
Works with any RFC 6238 TOTP app for the moments where a contactless card isn't available.
No cloud required. Installs and runs on-premises. No cloud or internet connection is required for the product to function. Air-gap deployable.

Full product detail

Supported tokens

NFC contactless MIFARE Classic · DESFIRE EV1/EV2/EV3

PKI smartcard X.509 · eIDAS · corporate & sector PKI

USB memory stick Hardware-bound key material

TOTP RFC 6238 · 30 s · SHA-1/SHA-256

Bundled with CP V2

Two companions that ship inside the same licence.

The Credential Provider V2 licence carries two add-ons that solve the next problems most customers run into after they've hardened workstation logon. Each is also available standalone.

Add-on 01

CodeB Web SSO

One login. Every web app. No passwords exposed. A managed browser extension for Edge and Chrome that fills usernames, passwords and the 6-digit TOTP step on the way in — and signs users into legacy Windows and Java apps such as T2med — without ever exposing credentials to page JavaScript.

Read about Web SSO

Add-on 02

CodeB Desktop Switcher

Don't tidy your desktop. Replace it. One hotkey swaps your desktop files, icon layout and per-monitor wallpapers for a clean profile — perfect just before a Zoom or Teams screen share. Tap again to bring everything back exactly as you left it.

Read about Desktop Switcher

Deployment

From pilot workstation to organization-wide rollout in four steps.

CodeB ships as a credential provider DLL and a small set of policy templates. No directory schema changes, no agents on the domain controller, no cloud dependency unless you want one.

Install on a pilot workstation.

Sign in once with your existing account. The installer registers the CodeB credential tile alongside the Microsoft password tile. Nothing is locked down yet.

Enrol a token per user.

Tap an NFC card, scan a TOTP secret with any compliant authenticator app, present a PKI smartcard, or plug in a USB key for evaluation. Multiple tokens per identity are supported.

Roll the policy via Group Policy or the command line.

Push the configuration to your Windows machines via Group Policy or the command line. Disable the Microsoft Password Provider and (optionally) set ProhibitFallbacks to enforce CodeB even in Safe Mode.

Audit, attribute, and forward to RDP.

Every logon, lock and unlock event becomes attributable to a token holder. Smartcard sessions forward over RDP into hosted desktops, including Azure Virtual Desktop with a KDC proxy.