This project has moved and is read-only. For the latest updates, please go here.

Multi-Factor Authentication for ADFS 3.0/2016

This project can help you to implement multi-factor authentication without requiring any additional provider.

You can download a fully functional solution or modify the source code to build your own solution.

MFA helps secure user sign-ins for on-premise or cloud services beyond just a single password. With MFA, users are required to enter a confirmation code, which is send to their phones, email account or via an authenticator application (Microsoft authentication, Google Authentication)after correctly entering their passwords.

What I Know (password) and What I Hold (device) are the keys of MFA.

For example, if you user password is compromised by a hacker, he can’t activate your application (business email) because You have the second code that can grant access to the app.

This extension, allow to use second factor with secondary email code transmission, or TOTP code (Time-based One Time Password) compatible with the Google’s (and others) standard. This extension works with Active Directory or an SQL Server Database for storing secret keys.


Neos-SDI is a global business and technology consulting firm that leads organizations toward innovative growth faster through the identification, application and support of inspired technology solutions. By leveraging our unique methodologies, we are able to help our clients envision the unique ways technology can be successfully applied to their business. Our envisioning sessions are intended to inspire the use of technology in differentiated ways in order to optimize our client's potential for growth. Founded in Paris in 2001, the source of Neos-SDI’s success is attributed to over 150 certified consultants, and 14 gold and two silver Microsoft Partner competencies; making Neos-SDI one of the top 10 Microsoft Partners worldwide.

Feel free to follow our projects on codeplex, github


  • Localized French/English/Spanish
  • run with ADFS Windows 2012 R2 and 2016
  • Enable self-registration
  • Enable self-registration with QR code (using component from  George Mamaladze and his team see; Great Work !)
  • Enable custom change password.
  • Secret Keys length (Guid, 128, 256, 384 & 512 bytes) 
  • Can use ADDS customizable attributes or Custom SQL-Server Database
  • Can send TOTP code by email (customizable template in resources)
  • Can send TOTP code by sms (customizable and extensible with API)
  • Can send TOTP code using Authenticator Apps like MS Authenticator, Google Authentication and more
  • Full sample for Azure MFA (additional configuration tasks and costs implied)
  • Developers can easily extend this component for other verification modes (Azure MFA, RSA,…) with the IExternalOTPProvider interface

Important –Limitations

  • Due to security, solution must be signed in Visual Studio with a certificate .pfx
  • You must deploy the solution on each of your ADFS servers, not on Proxy Servers.
  • To work with ADDS, the ADFS Service account must have read and write to users properties.
  • Working with ADDS multi-forests has not been tested (planned)
  • To work with SQL Server Database, you must deploy the database on a separate SQL Server (WID & replication is not supported)
  • Assemblies are using FW 4.5 and Up and must be deployed in the GAC.
  • Specific cmdlet should be run to deal with Web Services and rich clients (like Outlook), but this is specific to ADFS not to the component.
  • Should work with ADFS on W8 and W10.
  • the Identity claim is by design UPN (common and recommended in federation projects (planned to be customizable))



See Documentation

Last edited Sep 21, 2016 at 3:55 PM by redhook, version 49