Every product on the shortlist solves part of the Windows-logon problem and asks you to live with the rest. Microsoft pulls you into the cloud. Duo pulls you into a US SaaS. Yubico ties you to one piece of hardware. HYPR needs a phone in every pocket. CodeB delivers all four hard requirements with a single product. This page is the matrix, the honest gaps and the dates.
These four are the ones we see fail evaluations most often. Tick them on every product on your shortlist and the field narrows quickly.
CodeB ships as software that runs entirely on your infrastructure. No SaaS control plane, no telemetry pipeline, no licence-server-in-the-sky. Air-gap deployable on day one, certified for it by years of OT-network customers.
MIFARE Classic, MIFARE DESFIRE EV1 / EV2 / EV3, national ID cards, transit cards, plus RFC 6238 TOTP, X.509 PKI smartcards and USB tokens — at the same time, on the same machine, with policy choosing per user. Single-vendor hardware lock-in is not a requirement.
Because the Credential Provider is 100 % managed .NET code routing through Windows CNG, you turn on the standard Group Policy “Use FIPS compliant algorithms” and Windows itself enforces it against every crypto call CodeB makes. Native-code competitors can't be enforced this way.
Same software covers Windows 8 / 8.1 / 10 / 11 and Windows Server 2012R2 through 2025, on x86 and x64. Most modern competitors start at Windows 10 or 11 — leaving your clinical PCs, manufacturing terminals and shop-floor OEM controllers unsolved.
Six realistic alternatives across the rows; what each one delivers in the columns. Sourced from each vendor's public documentation as of May 2026. We update this page quarterly — if you spot something inaccurate, please write to info@codeb.io.
| Capability | CodeB CP V2 | MS Windows Hello for Business | Cisco Duo for Windows Logon | Yubico Login for Windows | HYPR True Passwordless | RSA SecurID Agent | AuthLite |
|---|---|---|---|---|---|---|---|
| Runs fully on-premises, no cloud | Yes | No Entra ID needed | Partial cloud-anchored | Yes local mode | No SaaS | Yes on-prem Auth Mgr | Yes |
| Air-gap deployable | Yes | No | No | Yes manual provisioning | No | Yes | Yes |
| No separate server, appliance or SaaS to deploy | Yes | No Entra Connect + Intune / ADFS | No Duo cloud | Optional YubiOn for central mgmt | No SaaS | No Auth Manager appliances | Partial extends AD schema |
| Centrally provisioned by admin (not per-user enrolment) | Yes Admin CLI + AD attrs | No user enrols on first sign-in | Yes Duo cloud | Manual / YubiOn | Yes HYPR cloud | Yes Auth Manager | Yes AD attrs |
| NFC contactless cards (MIFARE / DESFIRE) |
Broad | No | No | YubiKey only | No | Limited | No |
| TOTP (RFC 6238) | Yes | No | Yes | Yes OATH-TOTP | No | Yes | Yes |
| PKI smartcards (X.509) | Yes | Yes | No | Yes PIV | via integrations | Yes | No |
| USB memory stick token | Yes | No | No | No | No | No | No |
| FIPS 140-2 enforceable via Windows GPO | Yes managed code | Partial | FIPS-mode option | FIPS YubiKey hardware | No | Token-only | No |
| Windows 8 → Server 2025 supported | Yes | Win 10+ only | Older Windows narrowing | Win 10+ | Win 10/11 | Yes | Yes |
| Local + AD + Entra ID accounts on same workstation | Yes | Entra-centric | AD-centric | Limited locally | No | Yes | AD-centric |
| Same software supports BOTH 2FA and full passwordless | Both, by policy | Passwordless-first | 2FA-first | Yes | Passwordless-first | 2FA-first | 2FA-first |
| Replaces / hides the Microsoft password tile | Yes | Yes | No, on top | Optional | Yes | Yes via filter | No, on top |
| Java / legacy desktop-app auto-fill (T2Med pattern) | Yes via Web SSO | No | No | No | No | No | No |
| Perpetual licence option | Yes €49.99 | Subscription | Subscription | Hardware purchase | SaaS | Hybrid | Yes |
| EU vendor outside US CLOUD Act reach | Yes Malta | US | US | Yubico Sweden, US sub | US | US | US |
OK = supported · Partial = available with caveats · No = not supported. Last reviewed 21 May 2026. Sources: each vendor's public documentation. Found something inaccurate? info@codeb.io.
Short, factual, no mockery. If you're already evaluating one of these, the third line tells you when CodeB is the better answer.
Free with Windows licences. Phishing-resistant by design. Polished UX. Built into the operating system.
Every meaningful deployment — Cloud Kerberos Trust, Certificate Trust, Key Trust — needs Entra Connect, Entra ID and either Intune or ADFS. Hello cannot be provisioned centrally: enrolment happens per-device, performed by the end user on first sign-in — admins cannot pre-issue Hello credentials from a console. Enterprises tell us this is the deal-breaker. No NFC card support for arbitrary badges. No air-gap. Devices must register in Entra.
Healthcare, manufacturing or embedded that won't (or can't) move identity to Entra. Existing NFC badge estates you want to reuse. Windows Server 2012R2 / Windows 8 boxes still in service.
Mature install base and strong helpdesk. v4.0+ has an offline mode (password + Duo Mobile / Bluetooth proximity) so a brief cloud outage doesn't lock everyone out. Cisco brand backing.
Cloud-dependent in normal operation — telemetry, policy, enrolment all flow through Duo's US infrastructure (US CLOUD Act exposure). 2FA-on-top-of-password by design — doesn't replace the password tile. No NFC card support for arbitrary badges. Subscription pricing only.
Air-gap and OT networks. Hospitals where clinicians tap a card, not pull out a phone. EU sovereignty mandates. Perpetual licence.
One physical token covering OATH-TOTP/HOTP, PIV smartcard, Yubico OTP and OpenPGP on the same device. NFC tap on Windows for compatible readers. FIPS 140-2 Level 2 YubiKey 5 FIPS variant available. IP68, no battery.
Single-vendor lock-in to YubiKey hardware at €50–€85 per device. Cannot use the hospital's existing MIFARE staff cards, the council's existing access cards or any non-YubiKey NFC card. Limited central management without YubiOn cloud.
Customers with existing NFC card estates who want to reuse them for Windows logon instead of issuing a second device. Mixed token estates (some users NFC, some TOTP, some USB).
Modern passwordless UX. Polished mobile-driven flow. Strong enterprise integrations with Okta, Entra, ForgeRock and Ping. Phishing-resistant authentication design.
SaaS platform. Public key stored in HYPR cloud. Phone-required for the primary flow — bad fit for hospital wards, manufacturing floors, ATEX zones and anywhere phones aren't allowed.
Anywhere phones aren't on the body. Anywhere cloud is excluded. Anywhere the hardware token has to be a contactless card already in use.
Mature on-prem deployment. Credential Provider Filter (hides MS / smartcard / third-party / SecurID tiles). Multi-user / shared-computer support — the hospital workstation use case. Offline data for disconnected operation.
SecurID-token-centric — proprietary hardware/software ecosystem with its own licensing economics. Heavy infrastructure: Authentication Manager appliances + replicas. Aging brand. US ownership.
Anyone who looks at the RSA per-token economics and chooses commodity NFC cards plus TOTP without a six-figure Authentication Manager investment. Simpler deployment (no separate auth-manager appliance).
Genuinely on-prem, AD-native, no cloud. Specifically designed to defeat “Pass the Hash” against domain admins. Cached/offline logon for mobile workstations. Perpetual licensing.
YubiKey-centric — no NFC card breadth. Small single-product vendor. No Web SSO. No Java/legacy-app auto-fill. Less suitable beyond classic AD shops.
Same on-prem story, but with NFC card breadth + TOTP + USB stick + Web SSO + the T2Med-style Java auto-fill on top.
Not opinion — these are the points where, after you walk through the matrix above, only CodeB ticks the box.
CodeBAdminCLI.exe — 500 cards from a CSV in an afternoon. Windows Hello for Business cannot do this: every user must enrol Hello on their own device on first sign-in, with no admin pre-provisioning. Enterprises tell us this is Hello's most frequent deal-breaker.If we're not the right tool for your environment, we'd rather tell you up front than after the contract. These are the cases where another vendor is the better fit.
If any of the gaps above is a deal-breaker for your environment, one of the six competitors might be the better fit. We'd rather you find that out here than after the pilot.
Tell us which vendors are on your shortlist and what your hard requirements are. We'll come back with a clear-eyed read on which one fits — even if it isn't us.