Agree with Aidar in principle. The only authentication that takes place when "logging into" AR is the passing of windows credentials through the browser and this is really only to "help" AR to figure out what the user is allowed to do in the context of the application. Moreover, this only occurs if the browser is setup to challenge for credentials as this is not default behavior for IIS (that hosts the AR front end) and really acts as a form of gatekeeper for the app. To put it in simplest terms, IMO, the 2FA layer would have to be placed in front of IIS.
Agree with Aidar in principle. The only authentication that takes place when "logging into" AR is the passing of windows credentials through the browser and this is really only to "help" AR to figure out what the user is allowed to do in the context of the application. Moreover, this only occurs if the browser is setup to challenge for credentials as this is not default behavior for IIS (that hosts the AR front end) and really acts as a form of gatekeeper for the app. To put it in simplest terms, IMO, the 2FA layer would have to be placed in front of IIS.
