If you use Microsoft NPS with the NPS extension then you can use Microsoft MFA. It's a lot of messing about. It has poor logging and diagnostics. It tends to break about once a year and you have to randomly do things (because of a lack of logs and diagnostics) to get it going again. If you have access to free labour then this is an attractive option. https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension Cisco Duo requires that you install the authentication proxy which provides RADIUS, and can back directly into Active Directory. It has lots of logs so you can see what's happening. You'll probably have it going in 30 minutes (once you have all your users enrolled), and never need to touch it again. https://duo.com/docs/meraki-radius Note that both solutions require you to use "push" notifications, so the users must install the relevant app on the mobile device.
... View more