CodeB hardens Windows logon with NFC cards, TOTP codes, PKI smartcards and USB tokens — used as a second factor on top of the password, or replacing the password entirely. Roughly half of our customers run each pattern; policy decides which fits your environment. Works on local, Active Directory and Entra ID accounts from Windows 8 through Server 2025. Fully on-premises, no cloud or internet connection required. Air-gap deployable.
Most identity vendors assume a greenfield Entra ID environment. Regulated organisations rarely have that luxury. CodeB is built for the parts of your environment that still run Windows logon — be it local accounts or Active Directory — and have to keep running it, securely. We have been doing exactly this for over twenty years; CP V2 is the modern evolution of Aloaha Smartlogin, the credential provider Aloaha has built and supported since the early 2000s.
Every Windows workstation still authenticates with a username and password — whether it's an office desk, a civil-service terminal, a manufacturing line PC or a clinical workstation on a hospital ward. CodeB layers strong authentication over that existing credential model, in place, without rewriting the desktop and without moving identity to the cloud.
NIS2, DORA, the EU AI Act and sector-specific rules demand strong, attributable logon. Most companies cannot simply retire their historically-grown shared accounts. CodeB layers per-user NFC or TOTP authentication and auditing on top of those accounts — and on shared Windows accounts CP V2 can append the authenticating card’s ID to the Office author name, so every Word, Excel and PowerPoint edit stays traceable to a real person and your auditors get the evidence they recognise.
A nurse logging into a roving terminal cannot type a 16-character password fifty times a shift. Tap-and-go NFC and TOTP restore sub-second logon without trading away security.
CodeB is operated by an EU company (Aloaha Limited, Malta) and runs entirely on your own infrastructure. The product is designed to operate without a cloud or internet connection. It deploys and runs on air-gapped OT and clinical network segments and in jurisdictions where data cannot leave the country. No customer data is ever stored or processed outside the EU. CodeB is designed for organisations seeking European-operated, self-hosted identity infrastructure without dependency on US cloud platforms.
Defence labs, isolated OT segments, hospital networks behind a one-way firewall, factory floors with no outbound route. CodeB is engineered to behave the same with or without the internet — and that engineering reality is the single biggest reason regulated operators standardise on us.
CodeB itself does not open outbound connections to function. Install media, enrol cards, sign in — designed to work offline. Underlying Windows and .NET runtime behaviour is determined by your OS configuration.
No tenant. No subscription server to call home to. No upstream service that can go dark and lock your users out at the logon screen.
CodeB itself does not phone home with usage data, machine inventories or token statistics. Outbound traffic from the underlying Windows OS or third-party software is governed by your own configuration.
When the upstream ISP, the SaaS identity provider or the VPN concentrator falls over, your operators still sign in. That is the entire point.
Selected deployments where Windows authentication is operationally critical and where regulators look closely at how identity is enforced at the endpoint.
Hospitals and clinics using shared workstations, contactless staff cards and roaming clinical sessions across wards.
NFC · PKI · roaming sessionsShop-floor terminals, MES stations and engineering workstations needing fast, attributable shift logon.
MES · OT · shift workersWindows-based HMIs inside printing presses, CNC machines, packaging lines and lab analysers — where operators and engineers need attributable logon on machines that run for fifteen years.
HMI · OEM machines · long-life WindowsFinance, legal, public sector and defence supply chains under NIS2, DORA or national equivalents.
NIS2 · DORANIS2 (Directive EU 2022/2555) classifies organisations across energy, transport, water, food, healthcare, manufacturing of essential goods, public administration, digital infrastructure and many other sectors as essential or important entities. Article 21 explicitly requires risk-managed authentication for every system that touches the operation. CodeB delivers exactly that — at the Windows logon screen, on-premises, with the audit trail your competent authority expects.
The CodeB Credential Provider V2 is a fully managed .NET implementation of Microsoft's ICredentialProviderCredential2 interface. Every supported token — NFC card, TOTP code, PKI smartcard or USB stick — can be deployed as a second factor alongside the existing password, or used to replace the password entirely. Both patterns are equally supported; in practice our customers split roughly 50/50 between them.
The Credential Provider V2 licence carries two add-ons that solve the next problems most customers run into after they've hardened workstation logon. Each is also available standalone.
One login. Every web app. No passwords exposed. A managed browser extension for Edge and Chrome that fills usernames, passwords and the 6-digit TOTP step on the way in — and signs users into legacy Windows and Java apps such as T2med — without ever exposing credentials to page JavaScript.
Read about Web SSOData Exposure Prevention for screen shares. Instantly hide sensitive clinical records, internal schematics or operational files with a single tap before initiating a Teams or Zoom screen share. One hotkey swaps your desktop files, icon layout and per-monitor wallpapers for a clean, shareable profile; tap again to restore the working desktop exactly as you left it.
Read about Desktop SwitcherCodeB ships as a credential provider DLL and a small set of policy templates. No directory schema changes, no agents on the domain controller, no cloud dependency unless you want one.
Sign in once with your existing account. The installer registers the CodeB credential tile alongside the Microsoft password tile. Nothing is locked down yet.
Tap an NFC card, scan a TOTP secret with any compliant authenticator app, present a PKI smartcard, or plug in a USB key for evaluation. Multiple tokens per identity are supported. For larger rollouts, mass enrolment and card assignment are scripted centrally via the CodeB Admin CLI — pipe a CSV of users and card UIDs into CodeBAdminCLI.exe and provision five hundred cards against Active Directory in an afternoon, with no per-user enrolment ceremony.
Push the configuration to your Windows machines via Group Policy or the command line. Hide the Microsoft Password Provider via the built-in CodeB Credential Provider Filter so end users only see the CodeB logon tile.
Every logon, lock and unlock event becomes attributable to the token holder and is written to the standard Windows event log — replay-resistant, ready for any audit interview.
Every message to info@codeb.io lands in a real inbox watched by engineers. No AI auto-reply. No ticket queue to chase. Same working day in most cases, never later than the next.
Call our German lines in CET business hours and someone answers. No phone tree, no "press 1 for sales," no hold music. If we're with another customer, we call back the same day.
The person who reads your message is the person who can solve the problem, or who knows precisely who to bring in. No deflection into chatbots, no self-service mazes.
If CodeB isn't the right tool for your situation, we'll tell you so directly and point you somewhere that fits. Two decades of customers tell us that's why they stay.
Reply target: 1 business day · Phone hours: CET, Mon–Fri · Languages: English, German
Tell us about your environment — Windows mix, account model, token preferences — and we'll propose a pilot deployment within two business days.