top of page
  • Writer's pictureAlex

How-To: Extend Workspace ONE Access MFA capabilities with eMail, OATH, ... using SMS2 and RADIUS

Let's start with "Why"


Couple weeks ago I was faced with a challenge that external suppliers and support personal were only able to perform MFA using eMail as employees neither had corporate mobile phones for modern (Verify, DUO) or old-school (text-message) authentication nor own an identity provider (AzureAD, Okta, etc) which I could federate against.

Workspace ONE Access (WS1A) already support a huge number of authentication providers but still there are some, which are not directly covered by a built-in provider natively. Luckily WS1A does support RADIUS which gives us the ability to extend the "skill-set" even further.

There is a free Microsoft Network Policy Server (aka RADIUS on Windows) extension called SMS2 (Download & Documentation:

This extension adds eMail, OATH (both HOTP, TOTP), SMS Gateway, PIN/TAN and other methods to RADIUS and therefore to Workspace ONE Access. I am using SMS2 over 5 years now without major issues and the best thing: It's free!

Setup and Configure


In this blog post I will focus on eMail as second factor of authentication, but feel free to use any other SMS2 methods as well.


Install all above components and make sure they can communicate.

Coming soon

I will update this blog post soon, wanted to share the idea/solution with the community. I will go through all the configuration steps in detail with screenshots.

109 views0 comments
bottom of page