Support & frequently asked questions.

It is a standalone .NET library that plugs into the Windows logon screen via Microsoft's Credential Provider API. Where Windows ships with a single password tile, CodeB adds a tile that accepts NFC cards, RFC 6238 TOTP codes, X.509 PKI smartcards and USB memory tokens — and it can replace the password tile entirely when policy demands it.

Most MFA tools sit on top of an existing password logon. CodeB is the logon itself. It implements the ICredentialProviderCredential2 interface and ships with an integrated Credential Provider Filter, which means it can hide the Microsoft Password Provider tile rather than just adding a second factor next to it. That distinction matters at audit time.

Either, or both. CodeB supports local accounts, Active Directory accounts and Microsoft Entra ID accounts on the same workstation. Hybrid environments are the most common deployment shape we encounter.

Two add-ons travel with the CP V2 licence at no extra cost: CodeB Web SSO, a managed browser extension for Edge and Chrome that fills usernames, passwords and TOTP codes into web apps (and into legacy Windows / Java apps such as T2med) without ever exposing credentials to page JavaScript, and CodeB Desktop Switcher, a hotkey-driven tool that swaps your desktop files, icon positions and per-monitor wallpapers for a clean profile before you share your screen. Either can be licensed standalone if you already use a different desktop logon stack.

The Credential Provider V2 ships with native support for NFC cards based on MIFARE and DESFIRE, RFC 6238 TOTP codes, X.509 PKI smartcards and software certificates, and plain USB memory sticks for evaluation. Beyond that, a wide library of NFC tokens is supported — including national identity cards, transit cards, bank cards, and the wider DESFIRE family.

Issue them a USB memory token for evaluation, or use any RFC 6238 TOTP app — the same identity can log in to Windows whether the card is present or not.

Yes. A common pattern is a primary NFC card plus a TOTP app on a phone as a backup for the days someone leaves the card at home. There is no extra licence cost for additional tokens per identity.

Both patterns are equally supported and in practice our customers split roughly 50/50 between them.

• Pattern A — second factor. Keep the existing Windows password and add the NFC card or TOTP code as a second factor on top of it. Multi-factor logon.
• Pattern B — passwordless. Drop the password entirely and let the NFC card or TOTP code carry the logon on its own.

Same software, same tokens; you switch between them with policy. Regulated environments where the password is a known risk usually go passwordless; environments that already have established password hygiene typically add CodeB as a second factor first and migrate to passwordless later. We will help you decide which pattern fits your environment.

The CodeB Credential Provider 2 supports every Windows edition from Windows 8 onward, including Windows 8.1, 10, 11 and the corresponding Windows Server releases up to Server 2025. Pre-Windows 8 systems are out of scope for the current Credential Provider V2 build.

CodeB ships as a command-line installer. An MSI package is available on request. The Credential Provider configures via registry policy, so any tool that can write to the registry — Group Policy, SCCM, Ansible, PowerShell DSC, hand-crafted .reg files — can deploy it. We do not currently ship our own ADMX templates; the registry keys are short and documented in the install guide.

Yes. A separate command-line utility, CodeB Admin CLI (CodeBAdminCLI.exe), automates everything the GUI helpers do: linking a card serial to an Active Directory user as a second factor, storing encrypted credentials in AD or as a local soft-token, listing assignments, and revoking cards. It takes /user, /domain, /serial and /pin (plus /password for credential storage), so a CSV plus a PowerShell loop covers a full rollout. Download it from www.aloaha.com/download/CodeBAdminCLI.zip. Full reference and switches on the products page. Requires administrative privileges because it writes to AD attributes.

No internet connection or cloud service is required. Every component — the Credential Provider, the audit log and the Web SSO endpoint — runs on your own infrastructure. There is no SaaS control plane to authenticate against. The product is deployed and used regularly in fully air-gapped defence and OT networks where an internet connection isn't available at all.

In a typical hardened setup the Microsoft Password Provider is hidden via the built-in CodeB Credential Provider Filter, not disabled outright. Disabling the Microsoft Password Provider system-wide can have unwanted side effects on Windows internals; hiding it via the filter cleanly removes the tile from the LogonUI without touching anything underneath. The same filter stops other providers from advertising themselves to LogonUI.

Yes — and uniquely so. The Credential Provider V2 is written in 100 % managed .NET code, which means it routes its cryptography through the Windows CNG layer. When you turn on the Group Policy setting “System cryptography: Use FIPS compliant algorithms for encryption, hashing, and signing”, Windows itself enforces FIPS 140-2 against every crypto call the credential provider makes.

Every other Windows credential provider we are aware of is built in native code with its own crypto path, which cannot be enforced via that policy. If you operate in a FIPS-mandated environment, CodeB lets you tick one GPO box and have the operating system guarantee compliance — no signed letters of attestation required.

Two options: a perpetual licence at € 49.99 one-time per licence, or an annual subscription at € 19.99 per licence per year. Perpetual licences can optionally add maintenance at 20 % of the purchase price per year, which covers version updates and continued support. Licences are counted by the higher of users vs. machines. Volume discounts and project pricing on request — see the pricing page.

Email support is included with every CodeB licence — perpetual or annual subscription, large customer or single seat — for as long as you use the product. No warranty cliff, no premium support tier, no per-incident fees. The optional maintenance contract on perpetual licences (20 % of purchase price per year) covers version updates, not support. Both licence types can be upgraded with a named engineer on your rollout calls — quoted separately as professional services.

Yes — every feature is enabled on every licence, so a small pilot purchase exercises exactly the same software a production rollout would. We typically advise customers to start with a small batch of annual-subscription licences for the pilot, then move to perpetual or an expanded subscription once the architecture is validated.