Apologies in advance if this question is better suited on another StackExchange site; this felt like the best first choice.
Background
I have a web application (.NET Framework, ASP.NET Web Forms and MVC) running on IIS (any version). The application has no authentication logic, instead relying only on IIS configured for Windows Authentication (Negotiate); the application then references HttpContext.Current.User.Identity.Name to retrieve the Windows user.
I've been tasked with adding MFA to the login flow but I've hit a roadblock on if this is even possible. Below is my current understanding and why I believe it isn't possible; my question is whether I've missed something.
Goals:
- When an end-user connects to the application, require a second factor authentication check
- No application level changes
Current Understanding:
- With Windows Authentication, the user is already authenticated, and the challenge from IIS is only to include the current authentication token along with the request
- IIS used to have an option to interrupt this flow and redirect to the MFA challenge via Microsoft's MFA server, but this was discontinued and no longer available.
- There are no other options currently available to interrupt the IIS authentication flow
- Potential Option #1 - Rework application to include authentication logic (most likely toward OAuth / OpenID Connect) and invoke MFA challenge at that point
- Potential Option #2 - Place an application proxy in between the end user and the application; the app proxy would require login plus MFA, and then redirect to the application.
I'm at the point where I know enough to know I don't know enough, but I'm missing what more to understand to dig in further.
Is my understanding of Windows Authentication and available options to achieve MFA correct, or is there something else I am missing that will help me move forward?
