Support & frequently asked questions.

It is a standalone .NET library that plugs into the Windows logon screen via Microsoft's Credential Provider API. Where Windows ships with a single password tile, CodeB adds a tile that accepts NFC cards, RFC 6238 TOTP codes, X.509 PKI smartcards and USB memory tokens — and it can replace the password tile entirely when policy demands it.

Most MFA tools sit on top of an existing password logon. CodeB is the logon itself. It implements the ICredentialProviderCredential2 interface and ships with an integrated Credential Provider Filter, which means it can hide the Microsoft Password Provider tile rather than just adding a second factor next to it. That distinction matters at audit time.

Either, or both. CodeB supports local accounts, Active Directory accounts and Microsoft Entra ID accounts on the same workstation. Hybrid environments are the most common deployment shape we encounter.

Two add-ons travel with the CP V2 licence at no extra cost: CodeB Web SSO, a managed browser extension for Edge and Chrome that fills usernames, passwords and TOTP codes into web apps (and into legacy Windows / Java apps such as T2med) without ever exposing credentials to page JavaScript, and CodeB Desktop Switcher, a hotkey-driven tool that swaps your desktop files, icon positions and per-monitor wallpapers for a clean profile before you share your screen. Either can be licensed standalone if you already use a different desktop logon stack.

The Credential Provider V2 ships with native support for NFC cards based on MIFARE and DESFIRE, RFC 6238 TOTP codes, X.509 PKI smartcards and software certificates, and plain USB memory sticks for evaluation. Beyond that, a wide library of NFC tokens is supported — including national identity cards, transit cards, bank cards, and the wider DESFIRE family.

Issue them a USB memory token for evaluation, or use any RFC 6238 TOTP app — the same identity can log in to Windows whether the card is present or not.

Yes. A common pattern is a primary NFC card plus a TOTP app on a phone as a backup for the days someone leaves the card at home. There is no extra licence cost for additional tokens per identity.

The CodeB Credential Provider 2 supports every Windows edition from Windows 8 onward, including Windows 8.1, 10, 11 and the corresponding Windows Server releases up to Server 2025. Pre-Windows 8 systems are out of scope for the current Credential Provider V2 build.

CodeB ships as a command-line installer. An MSI package is available on request. The Credential Provider configures via registry policy, so any tool that can write to the registry — Group Policy, SCCM, Ansible, PowerShell DSC, hand-crafted .reg files — can deploy it. We do not currently ship our own ADMX templates; the registry keys are short and documented in the install guide.

Yes. The Windows smartcard channel is forwarded over RDP into hosted desktops, including Azure Virtual Desktop. For AVD specifically you will typically pair CodeB with a KDC proxy so that the PKINIT exchange against the domain controller can complete from clients without line-of-sight to AD.

No internet connection or cloud service is required. Every component — the Credential Provider, the audit log and the Web SSO endpoint — runs on your own infrastructure. There is no SaaS control plane to authenticate against. The product is deployed and used regularly in fully air-gapped defence and OT networks where an internet connection isn't available at all.

In a typical hardened setup the Microsoft Password Provider is hidden via the built-in CodeB Credential Provider Filter, not disabled outright. Disabling the Microsoft Password Provider system-wide can have unwanted side effects on Windows internals; hiding it via the filter cleanly removes the tile from the LogonUI without touching anything underneath. The same filter stops other providers from advertising themselves to LogonUI.

The Identity platform (Enterprise tier and above) emits structured logon, lock, unlock and elevation events over syslog and via direct SIEM connectors — Splunk, Sentinel, Elastic and the open syslog spec. The audit log itself is tamper-evident: each entry is chained, so removed or altered events show up.

Yes — and uniquely so. The Credential Provider V2 is written in 100 % managed .NET code, which means it routes its cryptography through the Windows CNG layer. When you turn on the Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, Windows itself enforces FIPS 140-2 against every crypto call the credential provider makes.

Every other Windows credential provider we are aware of is built in native code with its own crypto path, which cannot be enforced via that policy. If you operate in a FIPS-mandated environment, CodeB lets you tick one GPO box and have the operating system guarantee compliance — no signed letters of attestation required.

Per-seat, billed annually, with multi-year options. A seat is one user identity regardless of how many devices that identity logs into. See the pricing page for tier detail.

Every tier includes email support against a documented SLA — 24 hours on Workstation, four hours on Enterprise, one hour on Sovereign. Enterprise and Sovereign customers also get a named engineer who joins your rollout calls.

Yes — pilots are billed at the Workstation tier price for up to 90 days, even when you're testing Enterprise features. After the pilot, you commit to a tier and term.

Coordinated disclosure to info@codeb.io. We follow a 90-day coordinated-disclosure window unless an immediate exploitation risk requires a shorter timeline.