Three products. One identity stack for Windows.

What it replaces

The Microsoft Password Provider tile. CodeB ships with an integrated Credential Provider Filter so once policy is applied, the password tile disappears entirely.

Heritage

CP V2 is not a v1.0 product. Aloaha built and supported Aloaha Smartlogin for more than two decades — one of the longest-running Windows credential providers on the market. The Credential Provider V2 is its full re-engineering in modern managed code: same operational pedigree, modern architecture, a plugin model that makes new token types easy to add. You are buying twenty years of edge-case knowledge dressed in a current codebase.

FIPS 140-2 enforceable — and unique

Because the Credential Provider V2 is written in 100 % managed .NET code, it honours the standard Windows Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing.” Switch it on and Windows itself enforces FIPS 140-2 against every crypto call CodeB makes — no extra runtime, no parallel crypto library, no trust-us claim. Every other Windows credential provider we know of is built in native code that cannot be enforced this way. If you need a FIPS-compliant logon path, CodeB is the only credential provider that gives you one by ticking a single GPO box.

Two editions, one credential provider

Pick whichever ships best with your deployment model. Both editions sit on top of the same credential provider — the difference is how the supporting helpers are packaged.

Production tip: the System Tray icon can be hidden from end users by setting the registry value HKLM\SOFTWARE\WOW6432Node\CodeB\Config\HideSystray. The helper keeps running — including card-remove actions — but ordinary users can’t see or misconfigure it. More background: deployment notes on win-logon.com.

Admin tooling for unattended rollouts

CodeB Admin CLI (CodeBAdminCLI.exe) is a separate command-line utility for system administrators. It performs the same enrollment actions the GUI helpers do — link an NFC card to an Active Directory user, store encrypted credentials, create local soft-tokens, audit assignments, revoke a card — but unattended, from any batch script, PowerShell pipeline or SCCM task. Rolling out 500 cards by hand is a week; doing it from a CSV in a loop is an afternoon.

Switches it understands

/add2fa	Link a card serial as a second factor for an AD user. Equivalent to LinkNFC2AD.exe in script form.
/add2ad	Store encrypted credentials in AD ("Store to AD" enabled). Replaces the manual flow of LinkNFCCard.exe.
/add2fs	Create an encrypted soft-token locally instead of storing to AD.
/list2facards	List every card serial currently assigned to a specific user.
/list2fa	Reverse lookup — given a card serial, find which user owns it.
/deletecard	Remove the card reference from both the 2FA records and the credential tokens.

Parameters

/user	Username being managed.
/domain	Logon domain the user belongs to.
/password	User's password — required with /add2ad only.
/cardserial	Unique identifier (UID) of the NFC card.
/pin	PIN to be assigned to the card for logon verification.
/action	1 = lock screen on card removal, 2 = sign user off.

Example invocations

:: Link a card serial as second factor
CodeBAdminCLI.exe /add2fa /user stefan /domain CodeB /serial AAFFBBCC

:: Store encrypted credentials in AD
CodeBAdminCLI.exe /add2ad /user stefan /domain CodeB /password letmein /serial AAFFBBCC /pin 1234

:: Or store the encrypted credentials locally as a soft-token
CodeBAdminCLI.exe /add2fs /user stefan /domain CodeB /password letmein /serial AAFFBBCC /pin 1234

:: List every card assigned to a user
CodeBAdminCLI.exe /list2facards /user stefan /domain CodeB

:: Reverse lookup: which user owns this card?
CodeBAdminCLI.exe /list2fa /serial AAFFBBFF

:: Revoke a card (clears 2FA + credential token)
CodeBAdminCLI.exe /deletecard /serial AAFFBBFF /user stefan

Admin tip: run the calling shell or scheduled task with elevated privileges — the CLI writes to AD attributes and the credential store. More background and complete reference: CodeB Admin CLI documentation on win-logon.com.

Tokens it accepts

Listed in order of how often we see them deployed.

• NFC contactless cards — the most popular choice. MIFARE Classic, MIFARE DESFIRE EV1/EV2/EV3, and a wide library of contactless cards. Use them as a second factor or to replace the password entirely.
• TOTP per RFC 6238 — 30-second windows, SHA-1 / SHA-256. The second most popular token. Use it as a second factor or to replace the password entirely.
• X.509 PKI smartcards — healthcare, defence and corporate-issued cards. Software certificates also supported. Less commonly deployed; selected where an existing PKI estate is already in place.
• USB memory stick — a quick way to evaluate the product on a workstation without procuring new hardware. Convenient for proof-of-concept; we recommend moving to NFC, TOTP or PKI for production.

Where it runs

Operating systems	Windows 8, 8.1, 10, 11 · Windows Server 2012 R2 → 2025 (x86 + x64)
Account model	Local · Active Directory · Microsoft Entra ID · hybrid
Distribution	Command-line installer · deployable via Group Policy or any registry-driven configuration tool · MSI on request
Architecture	Built on ICredentialProviderCredential2 with integrated Credential Provider Filter; custom plugin library supported.
FIPS 140-2	Enforceable by Windows Group Policy (managed-code architecture honours “Use FIPS compliant algorithms”). Native-code competitors cannot be enforced this way.
Sovereignty	No cloud required · EU product. On-premises only · no SaaS control plane · no cloud or internet connection required to function · air-gap deployable · Aloaha Limited is an EU (Malta) entity outside US CLOUD Act reach

What it actually does

Web SSO ships as a browser extension distributed through the official Microsoft Edge Add-ons and Chrome Web Store, paired with a small native helper. When a user navigates to a configured site, the helper supplies the credential to the extension over a secure channel and the extension drops it into the login form on the user's behalf. The credential is never read by the page, never serialised into page-level JavaScript, and never copied to the clipboard.

For security teams

• No browser-stored credentials. Credentials live in the native helper at the OS level — not in browser profile storage, not in extension storage, not synced across browsers. A leaked browser profile or compromised sync key reveals nothing.
• No clipboard, no persistence. Web SSO fills credentials directly into form fields over Chrome and Edge's process-isolated Native Messaging channel. They are not copied to the clipboard and not retained in extension memory between sign-ins.
• Distributed through official browser stores. Signed and reviewed by Microsoft and Google — the same supply chain your existing browser-extension policy already governs.
• Zero-trust friendly. Combine with the Credential Provider V2 and every web sign-in is anchored to a workstation logon that was itself attributable to an NFC card, PKI smartcard or USB token.

For your users

• One-click or silent login. Most sites sign in automatically the moment the page finishes loading; the rest are one click.
• No repeated prompts. Users stop typing usernames and passwords for the everyday tools entirely.
• No workflow interruptions. Once deployed, Web SSO is invisible until the rare case where it has to surface a prompt — then it asks once and remembers.
• TOTP auto-fill. Web SSO can generate and enter the 6-digit one-time password on the second-factor screen too. No phone, no copying codes between windows.

Beyond the browser: legacy and Java apps

The same credential broker that drives the browser extension can also sign users into legacy native Windows applications and into Java desktop apps that put up their own login dialog. A frequent deployment pattern is T2Med — the Java-based GP-practice management suite — where Web SSO removes the daily friction of program-start logins for clinicians. See the full T2Med case study and demo video. The mechanism generalises to any application that exposes a recognisable login surface.

Two ways to deploy it

Bundled with CP V2	Installed automatically by the Credential Provider Installer when you run the CodeB Tools Edition setup. No separate install step.
Standalone	Download the Web SSO package, run the executable once as Administrator on first launch so it can register with the supported browsers, and you're done. No CP V2 dependency.
Browser support	Microsoft Edge (Edge Add-ons store) · Google Chrome (Chrome Web Store) · Chromium-based browsers via the Chrome extension
Native & Java apps	Yes — credentials can be filled into legacy Win32 login dialogs and Java desktop apps. Reference deployment: T2Med.
Second factor	Generates and auto-fills RFC 6238 TOTP codes on the 2FA step, with the secret kept by the native helper, not by the page
Account configuration	Launch CodeBWebSSO.exe from the toolbox to add and edit user accounts per site / application
Distribution	Browser extensions auto-register on first browser restart after install; native helper is a single executable
Licensing	Included with Credential Provider V2 · standalone seat licence available

Watch · Desktop Switcher in action

The problem it actually solves

You're about to share your screen on a client call. Your desktop has 47 files on it — downloaded contracts, half-finished proposals, a screenshot of a meme. The meeting starts in 30 seconds. You start frantically dragging files into folders. Desktop Switcher is the alternative to that minute of panic.

A complete desktop swap, not an overlay

Other tools group your icons or hide the desktop. Desktop Switcher physically moves files in and out, restores icon positions exactly as you left them, and applies a different wallpaper to each monitor. When a profile is inactive, its files genuinely aren't on the desktop — they're parked in your AppData folder until you switch back.

What's in the box

• Real file isolation. Files of inactive profiles live in AppData, not on the desktop. The icons aren't hidden — they're gone, until you switch back.
• Per-monitor wallpapers with the full set of fit modes — Fill, Fit, Stretch, Tile, Center, Span. All applied atomically when you switch.
• Icon layouts preserved. Where each shortcut sits on the desktop is part of the profile. Switch back later and every icon lands exactly where you left it.
• Global hotkeys. Bind Ctrl+Alt+1 to your work profile, Ctrl+Alt+2 to your clean-for-clients profile. Works from anywhere in Windows, no mouse required.
• Tray boss-key. Configure the tray icon to switch to a designated profile on double-click. The fastest possible panic clean for an unexpected call.
• Command-line interface. CodeBDesktopSwitcher.exe --switch "Clean Demo" — wire it into scheduled tasks, batch files, or Stream Deck buttons.
• Hide-all-icons toggle. Don't want to build a profile? One menu item or hotkey hides every desktop icon entirely, until you toggle it back.
• Export & import. Profiles save to a single .cbds file — effectively a zip archive, so it diffs and version-controls like any other text bundle. Carry your setup to another machine, share a sanitised demo desktop with a colleague, or back up your config.
• Portable and lightweight. One executable, under 1 MB. No installer, no services, no admin rights, no traces. Drop it in any folder and run; delete the folder to uninstall.

Four steps. Then never think about it again.

1. Create a profile. The first profile silently adopts your current desktop. Nothing moves, nothing changes — it's just labelled now.
2. Customise for a context. Build a second profile by rearranging your desktop the way you want it — clean wallpaper, only a few icons. Click "Update From Desktop".
3. Switch with one click. Or a hotkey. Or a tray double-click. Files swap, wallpapers swap, icons land where you want them. Takes about a second.
4. Switch back. Same thing in reverse. Your real desktop reappears exactly as you left it, down to icon positions and per-monitor wallpapers.

Profiles follow your virtual desktops

Desktop Switcher pairs cleanly with Microsoft's built-in Virtual Desktops feature. In Task View (Win+Tab), rename any virtual desktop to match a Desktop Switcher profile and the two are linked automatically — no settings table, no GUIDs, no fragility when you rearrange desktops. Switching virtual desktops with Ctrl+Win+→ then applies the matching profile within a fraction of a second.

Two modes: wallpaper-only (default — instant, no Explorer restart, every virtual desktop ends up with its own backdrop) or full profile (files, icon positions and wallpapers all swap as you move between virtual desktops).

What it swaps	Desktop files · icon positions · per-monitor wallpapers
What it does not swap	Windows user sessions, open applications, file content. It is a presentation-layer tool.
Triggers	Global hotkey · tray double-click · CLI · Microsoft Virtual Desktop name match
File isolation	Inactive-profile files live in %AppData%; not visible on the desktop
Wallpaper fit modes	Fill · Fit · Stretch · Tile · Center · Span (per monitor)
Profile portability	Export / import to .cbds file (zip-based, inspectable in any archive tool)
Footprint	Single executable < 1 MB · no installer · no admin rights · no services
Operating systems	Windows 10 · Windows 11
Licensing	Included with Credential Provider V2 · standalone seat licence available