Let's start with "Why"
Couple weeks ago I was faced with a challenge that external suppliers and support personal were only able to perform MFA using eMail as employees neither had corporate mobile phones for modern (Verify, DUO) or old-school (text-message) authentication nor own an identity provider (AzureAD, Okta, etc) which I could federate against.
Workspace ONE Access (WS1A) already support a huge number of authentication providers but still there are some, which are not directly covered by a built-in provider natively. Luckily WS1A does support RADIUS which gives us the ability to extend the "skill-set" even further.
There is a free Microsoft Network Policy Server (aka RADIUS on Windows) extension called SMS2 (Download & Documentation: https://www.wrightccs.com)
This extension adds eMail, OATH (both HOTP, TOTP), SMS Gateway, PIN/TAN and other methods to RADIUS and therefore to Workspace ONE Access. I am using SMS2 over 5 years now without major issues and the best thing: It's free!
Setup and Configure
In this blog post I will focus on eMail as second factor of authentication, but feel free to use any other SMS2 methods as well.
Workspace ONE Access Connector to communicate with the RADIUS server
Network Policy and Access Services Role installed on a Windows Server accessible from your connector (can be hosted on the same box)
Microsoft SQL Express or Windows Internal Database to store SMS2 Configurations and Tokens
SMS2 Software (Download: https://www.wrightccs.com/support/download/)
Install all above components and make sure they can communicate.
I will update this blog post soon, wanted to share the idea/solution with the community. I will go through all the configuration steps in detail with screenshots.