Use Case: 2FA to log in to Active Directory (such as logging into a corporate desktop computer that is on AD)
Desired Solution: Google Authenticator-style, RFC based MFA system. This path is compelling because it is RFC based, and widely used for internet based apps, and the user base already has it and uses it all the time. We thought this would be built in to Server 2016, but it appears not to be?
Ultimate Dream: With AD boosted by 2FA in this way, other apps we use that use AD as the directory will (we hope) magically get the 2FA benefit.
For clarity: We are not trying to use google (or other) accounts to log into AD. We are trying to use the google authenticator tool (or authy or any other tool that implements that RFC) to add 2FA to AD itself. (We use google authenticator with Amazon AWS, and many other hosted systems -- each of those systems has its own user db.) E.g. this is not about web-oriented OpenID and the like.
Where We Stand Today: Today, logins to desktop and PCs are via plain jane passwords. But some tools (like our vpn server), use AD for auth AND support Google Authenticator on top of that. We would like physical login to be as tight as the VPN (and using a similar auth tool).
Research Done So Far
There is a technet article on how to use google authenticator with Active Directory Federated Services (AD FS): https://blogs.technet.microsoft.com/cloudpfe/2014/10/26/using-time-based-one-time-passwords-for-multi-factor-authentication-in-ad-fs-3-0/
Oddly, it appears to be a dev project, requiring some code and its own SQL DB.
We are not speaking here of AD FS specifically. We are looking, when you get to it, for 2FA, pref supporting Google Authenticator RFCs, built in to AD.
Doesn't AD have native support (by now, 2016...) for Google Authenticator ?
If not, is it expected in Server 2016?
(And if Win Server 2016 chooses not to support the most prevalent RFC based 2FA, help me understand why MS would make such a decision?)
