How a Windows Login Filter Improves Security #

A Windows login filter lets you block default login options and enforce secure authentication. CodeB CP V2 includes a built-in filter to control access.

Using a Credential Provider Filter is always the recommended method for managing which login methods are available on a Windows system, especially when enforcing strict authentication policies like those enabled by the CodeB Credential Provider V2.

Key Benefits of Using a Filter Over Disabling: #

• Security-Conscious Design: Filtering leaves the provider intact but simply hides its tile at logon. This avoids OS instability or unexpected behavior often caused by disabling built-in providers.
• Compliant with Microsoft Best Practices: Disabling built-in providers can interfere with critical Windows functionality. Filtering ensures seamless updates and support.
• Dynamic Control: The built-in filter of CodeB CP V2 lets administrators hide unwanted credential providers without uninstalling or modifying them.

Providers You Should Hide to Enforce CodeB-Only Login: #

To ensure users authenticate exclusively via CodeB CP V2 (with tokens such as NFC, USB, TOTP, OIDC, or X.509), the following Microsoft providers are commonly filtered:

• PasswordProvider
  CLSID: {60b78e88-ead8-445c-9cfd-0b87f74ea6cd}
  This is the classic username/password provider, which should be hidden for passwordless environments.
• Smartcard Credential Provider
  CLSID: {8FD7E19C-3BF7-489B-A72C-846AB3678C96}
  Used by traditional smartcards — redundant if you’re using CodeB’s enhanced X.509 workflows.
• Smartcard PIN Provider
  CLSID: {94596c7e-3744-41ce-893e-bbf09122f76a}
  Tied to PIN entry for smartcards, and should be suppressed if not using native Windows smartcard logon.

These CLSIDs should be set to 1 under:

objectivecCopyEditHKEY_LOCAL_MACHINE\SOFTWARE\Aloaha\CP CLSIDs

This ensures CodeB CP V2 remains the exclusive logon interface.