Four industries. One common requirement: attributable Windows logon.

CodeB is not a horizontal SaaS. The product line was shaped by years of work in clinical environments, on manufacturing floors, inside Windows-embedded industrial machines, and across regulated office environments — places where Windows logon is operational infrastructure, not a checkbox, and increasingly a NIS2 obligation.

Critical infrastructure · NIS2

All four sectors fall under NIS2 obligations.

NIS2 (Directive EU 2022/2555) classifies organisations across energy, transport, water, food, healthcare, manufacturing of essential goods, public administration, digital infrastructure and many other sectors as essential or important entities. Article 21 explicitly requires risk-managed authentication for every system that touches the operation. Whether you are a hospital, a CNC OEM, a packaging-line operator or a regulated office, CodeB gives you the cryptographically attributable Windows logon your competent authority expects — on-premises, on your own infrastructure.

Article 21 Essential entities Important entities DORA IEC 62443 EU CRA

What's hard here

Clinical staff sign in and out dozens of times a shift. Passwords get written under keyboards. Shared accounts make access-trail reconstruction impossible. The contactless and PKI cards your hospital already issues can serve as logon tokens, but typically aren't wired into Windows out of the box.

German clinics: the regulatory map

German hospitals and practices answer to a denser stack of obligations than almost any other sector. CodeB is deployed in this environment because it lines up cleanly with each one:

DSGVO & BDSG — patient records are special-category data under Art. 9 GDPR. Per-user authentication is the foundation of any defensible data-protection impact assessment. Shared accounts undermine that on day one.
§ 203 StGB — Verschwiegenheitspflicht — German criminal law holds doctors, dentists and clinical staff personally responsible for protecting patient secrecy. Strong, attributable Windows logon makes the technical case that access was constrained to authorised individuals.
§ 75c SGB V — since 2022, every German hospital must implement IT security "nach dem Stand der Technik". The Bundesärztekammer and DKG read this as mandating MFA on clinical workstations. CodeB is the MFA layer sitting at the Windows logon screen itself.
B3S Krankenhaus & KRITIS — the industry-specific security standard for hospitals under § 8a BSIG. Section 5 (Identity and Access Management) explicitly requires strong authentication for clinical systems. CodeB delivers that without bolting on a separate IAM platform.
KHZG funding — the Krankenhauszukunftsgesetz earmarked 15 % of digitalisation funds specifically for IT security. CodeB qualifies as an eligible measure under FT 10 (IT security), so the rollout is fundable through your KHZG-Antrag.

How CodeB is deployed

Ward roaming workstations

NFC tap to log in. Card removal is policy-configurable — do nothing, lock the workstation, or sign the user off. Sessions follow the clinician across the ward via standard Windows roaming profiles or VDI.

NFC Active Directory Roaming profiles

Hospital PKI logon

Existing hospital-issued PKI cards reused as X.509 logon tokens — no separate issuance and no parallel credential store. Per-user attribution on every record access.

X.509 PKI Hospital-issued cards Per-user attribution

Pharmacy and lab terminals

USB-token logon for shop-floor-style lab benches where NFC readers are impractical, with per-user attribution on every dispensing or analyser action.

USB token Per-user attribution

Featured case study

Automatic logon to T2Med (Java clinic software).

T2Med is the Java-based clinic software in widespread use across primary-care practices. With CodeB, the clinician taps an NFC card once and lands inside T2Med, already signed in — no Windows password, no T2Med password, no TOTP code typed by hand.

How it works

The CodeB Credential Provider secures the Windows logon with a second factor — NFC card or TOTP — and at the same time enables passwordless logon. An authorised NFC card or TOTP code fully replaces the username-and-password step. Hold a registered card to the reader and the Windows session opens.

The bundled Web SSO engine extends the same authentication into web apps, classic Windows apps and Java-based desktop applications. It detects the application's login window, fills the right credentials, and — if a TOTP code is required — calculates and enters it. T2Med is a typical example: once configured, the clinician taps once and T2Med opens already authenticated.

Four-step setup

Download CodeB. Get codeb_tray.zip from our download site.
Install the Credential Provider. Run CredentialProviderInstaller.exe from the zip and click Install Credential Provider.
Add a Web SSO entry for T2Med. Run CodeBWebSSO.exe, click Add Domain, enter t2med, click Done. A default t2user account is pre-created for the demo system — replace it with your own credentials or add more users as needed.
Start the tray helper. Run codeb_tray.exe from the zip — this is the process that injects credentials into T2Med at runtime.

Result: the next time T2Med starts, the clinician is signed in automatically.

What's hard here

OT environments tolerate very little disruption. Updating Windows is a quarterly event, not a Tuesday. Operators wear gloves; touchscreens are clumsy; cards get lost. Yet NIS2 and customer audits now demand individual attribution of every action that touches the MES.

How CodeB is deployed

MES operator stations

Hardened USB-token logon at line-side terminals. Tokens are sealed inside operator wristbands; a missing token automatically locks the station.

USB token Auto-lock NIS2

Engineering and CAD workstations

PKI smartcard logon for engineering workstations, with the same identity attribution applied to off-site contractors as to in-house engineers.

X.509 PKI Engineering workstations Contractor access

Quality and changeover booths

Tap-and-go NFC for fast shift handovers, with TOTP as a second factor where the supervisor approval flow requires one.

NFC TOTP Step-up MFA

What's hard here

OEM machine controllers are built on whatever Windows version was current when the machine left the factory — and they stay in service for ten to twenty years, often on networks with no internet at all. The HMI typically has two user populations: the shift operator who runs the machine, and the service engineer who reconfigures it. Both need attributable logon, and increasingly under NIS2 because the host industry (food, pharma, energy, water, manufacturing of essential goods) is in scope.

How CodeB is deployed

Operator logon at the HMI

NFC tap from the operator's company card unlocks the machine HMI; the card stays with the operator for the shift. Card removal can be configured to do nothing, lock the screen or sign the operator off, depending on machine-safety policy.

NFC HMI Operator role

Service-engineer access

X.509 PKI smartcard logon for the OEM service engineer who configures the machine, separates "operate" from "configure" privileges, and produces a tamper-evident audit entry that links the service action to a named engineer.

X.509 PKI Service-mode Audit trail

OEM bundle for machine builders

OEMs can pre-install CodeB on the embedded controller image, so the customer receives a NIS2-ready machine out of the box. Licensing terms accommodate the long service life — perpetual licences keep working on the version they were issued for, no annual renewal pressure on a 15-year machine.

OEM bundle Perpetual licence Air-gap deployable

What's hard here

Office environments are heterogeneous: laptops on the road, desktops on-prem, Azure Virtual Desktop for contractors. Auditors expect cryptographically attributable logon — but most environments still rely on a password and a SMS code, both phishable.

How CodeB is deployed

Hybrid laptop deployments

Entra-joined laptops with PKI smartcards in the secure element; a TOTP app as a backup when the card is forgotten at home.

Entra ID PKI TOTP

Reception kiosks and meeting-room screens

NFC tap from a visitor pass or staff card to release the kiosk session, with per-user attribution recorded against every visitor or staff entry.

NFC Visitor management

Doesn't quite fit one of these?

The product line is built on standards — Windows credential providers, X.509, OIDC, ICAO 9303. If your environment runs Windows, CodeB very likely already has a deployment pattern for it.

Tell us about your environment Browse products