True Passwordless Logon to Windows using Kerberos
(Smartcard not required)

Designed to provide strong authentication by using strong cryptography instead of passwords

In a typical Kerberos setup, a client (user) communicates with an authentication server to obtain "tickets" that grant access to a server's services. This mechanism ensures that passwords are not transmitted over the network, thus enhancing security. The move to true passwordless login involves leveraging Kerberos in a way that completely removes the need for users to enter or remember passwords. Instead, alternative factors like NFC, security keys, or time based one time passwords are used. These methods are not only more secure but also provide a more convenient user experience. In a Windows environment, integrating Kerberos for passwordless login involves configuring the Windows server and client systems to support Kerberos-based authentication methods. These methods use certificates to authenticate the user instead of a traditional password. True passwordless login to Windows using Kerberos represents a significant step forward in cybersecurity. It not only enhances security by eliminating the vulnerabilities associated with passwords but also streamlines the authentication process, leading to a more user-friendly and efficient system. As organizations continue to focus on security, such innovations are crucial in safeguarding digital assets and identities in an increasingly interconnected world.

True Passwordless Windows logon with Kerberos boosts security, cuts breach risks, simplifies user access, and lowers IT costs, marking a major advance in cybersecurity.

Mobile with CodeB Authenticator and Laptop with CodeB Credential Provider

Windows Requirements

Passwordless Authentication to Active Directory requires that Windows workstations, Active Directory, and Active Directory domain controllers be configured properly. Active Directory must trust a certification authority to authenticate users based on certificates from that CA. Both Windows workstations and domain controllers must be configured with correctly configured certificates.

Install CodeB Credential Provider V2

The first step involves installing the CodeB Credential Provider V2, which is a straightforward process. Begin by clicking the 'Download' button below to acquire the Tools Edition. Once downloaded, unzip the files to a location of your choice.

Next, run the 'CredentialProviderInstaller.exe' tool with elevated admin rights and click the "Install Credential Provider" button. If you require an .msi version of the installer for automatic distribution via Active Directory, please contact us.

Finally, if you have a license key or an evaluation key, proceed to run the 'SmartLoginLicensing.exe' tool to activate your license.
CodeB Credential Provider Installer
CodeB Kerberos Installer

Connect to Kerberos

The Tools Edition zip archive includes a sub-archive named 'kerberosinstaller.zip'. Unzip this as well to any location and run 'KerberosInstaller.exe' with elevated admin rights. Then, click on the "Install Kerberos Connector" button to complete this step.

For automatic distribution via Active Directory, you can request an .msi version of this installer from us.

Enroll Logon Certificate

To initiate a certificate enrollment, you will need to use the 'certmgr.msc' tool on your client machine. Begin by right-clicking on the Windows start menu and selecting 'Run'. In the run dialog, type 'certmgr.msc' and press enter.

This action will open the Certificate Manager. In this tool, right-click on the 'Personal' folder, navigate to 'All Tasks', and select 'Request New Certificate'. Proceed by following the on-screen instructions associated with the 'Active Directory Enrollment Policy'.

When it comes to selecting a certificate to enroll, choose the 'CodeB Credential Provider Certificate'. During the enrollment process, you will be prompted to create a PIN, which serves as a safeguard for your private key.
Enroll CodeB Logon Certificate
Add second factor to protect private key

Add second factor to private key

While your private key is already secured with a PIN, additional security measures can be implemented using CodeB. This system allows for the protection of your private key with second factors like NFC cards, credit cards, company badges, etc. If you require a second factor that is not yet supported, please feel free to contact us.

To add an NFC card as a second factor, select your previously enrolled certificate and click 'Add NFC'. You will first be prompted to enter your certificate PIN, followed by the option to select your card reader. Place your NFC token on the card reader and click the 'Assign' button.

Additionally, if you install the 'CodeB Authenticator' app from the Google Play Store, your mobile device can also function as an NFC factor.

Login to Windows

You are now set to log on to Windows without using a password.

To log on, simply enter your certificate PIN into the 'Password, TOTP or PIN' field of the CodeB Credential Provider and press enter. If your private key is secured with a second factor, such as an NFC card, place the card on the reader as well.

Note that if you used the default PIN '0000' during certificate roll-out, you can utilize the "Tap to Login" feature. Just tap your NFC card on the reader, and you will be logged in automatically. This process is also demonstrated in the video below.
CodeB Smartlogon Logon Screen

Forge Ahead with CodeB - Let's Collaborate!