First, a word about…
Password caching
Pretty much every credential add-on for Windows I’ve seen since 2010 that lets you log in with some sort of alternative will basically just cache your real password internally somehow and then pass that to the “real” credential check to log you in. There used to be ways to legitimately log in an account using a GINA replacement for Win98 and previous… then came the “Credential Provider” which you could still set up to allow direct account logon without password caching, but Windows changed things like 5 times between Win7 and today’s current iteration, and added online Microsoft accounts to the mix, such that it seems impossible now to actually directly log you into an account (even local machine accounts) using real security like FIDO. Everything is just password caching, then shoving that password into Windows for authentication. Of course there is nuance here… current Windows machines managed by Azure AD (called Entra ID now I think?) will let you use your FIDO with your Microsoft account to log into your computer, but only if your computer is managed… still, in 2025, stand-alone workstations which are not managed in this way yet are logged into with online Microsoft accounts cannot use FIDO… wtf Microsuck?
Rohos Login
So I’ve been using Rohos login on my workstation because it’s simple and works… but it’s old… old design… old list of credentials… UID only auth for RFID/NFC transponders wherein it calls all RFID transponders “MiFare 1K RFID”… but this is where and how you register chips like NTAG216 or even Apex smartcard chips.
There is YubiKey support but USB only, not NFC… it’s just old. You basically give Rohos your account password and it will pass that to Windows when you tap a recognized UID to a reader. It’s also esoteric and confusing… there’s talk of PIN codes which don’t apply to RFID transponders and if you set up your account following the incorrect steps, it will try to ask you for a PIN code to your NTAG216 which fails because it doesn’t exist and then you get locked out after 3 failed attempts… it’s just kind of a trash interface. There are so many painfully obvious things they bolted on well after initial design and user experience flow, which hasn’t been updated in probably well over a decade.
HID DigitalPersona
I recently came across HID DigitalPersona which is designed to be part of an enterprise access management system… however they appear to have a “trial” of a “Workstation” version which is more like a “personal” version that works with stand-alone systems not tied to active directory or joined to a domain. Yes, it still just caches your password and passes it to Windows proper for login, but it’s a modern take and gives you a ton of interesting alternative logon options.
I’ve already configured DP to use my machine account (provided my password) so this is not a setup walk-through… just a series of interesting screenshots. After initial config, when you open DP “trial” you get this console with just one option “Credential Manager”.
Login options include;
- Password (like really?)
- Fingerprints (need a biometric scanner)
- “Cards” (more on this below)
- OTP Authenticator “one time password”
- PIN (really?)
- Passkey (aka FIDO2 resident key)
- RADIUS (whoa… old school)
- Bluetooth (not sure how it works)
- Recovery questions
Hilariously, where Rohos can’t use anything but a UID from a transponder, the “Cards” option requires a specific type chip - a smartcard or a DESFire… basically a chip that speaks ISO7816 over ISO14443A. I’ve enrolled my two Apex and a DESFire EV3 with nothing on it;
Transponders like NTAG216 will just not work at all with this… if you try, you’ll just get this;
Apex doesn’t work though
Even though I was able to enroll my Apex, only the DESFire card seemed to be recognized properly and only it was able to log me in. I tap my Apex to the reader and nothing happens. Come on what?!
Bluetooth what?
I have no idea how Bluetooth works…
I’ve enrolled my phone, but I have no idea how it works. When I need to auth inside of the DP Console to make changes, I can click Bluetooth when my phone is near by and it works… but when I try to actually log into my workstation, Bluetooth is not presented as an option;
But, upon reading the release notes…
So they removed the ability for it to log you in, but kept the whole enrollment and in-console auth function of Bluetooth? Like… wtf?
Final notes
I still use Rohos on my workstation while I test out DigitalPersona on my laptop. This software looks nice but I’ve found a lot of jittery jank. Sometimes card enrollment just hangs… reboot. enrollment started working again. Sometimes I go to log in with something and it just borks… gives odd error message. For example, I put the DESFire card on a reader at the login screen and it blipped, then said “Present writable secure contactless card to log in” which I already did… then removed and tried again… the error message did not go away or change… I had to cancel out and log in with my real password… reboot… worked again.
I like the OTP option DP offers but so far I can’t seem to get my Apex working as a “card” and while I did enroll a Passkey option it uses the Windows FIDO interface for talking to my passkey, but when I try to actually use it to log in, I get this;
WTF you mean insert? Bitch, I registered a contactless Passkey through the Windows FIDO dialogs. I can’t even ask it to try to get Windows to prompt me to present my passkey.
Oh yes, and apparently you can only have one Passkey registered? That goes against like basically every premise of FIDO, but ok…
For now I don’t think this is ready for prime time use with stand-alone non-enterprise machines, and it probably will never be as it’s not the target market. If you do decide to check it out, post your results and thoughts here on this thread!
Download
You can go through HID to get this software, but so often stuff like this just disappears (like EID Login did) so I’m providing what I have here;
DigitalPersona 4.3.0.zip (144.5 MB)
