Two-factor authentication or strong authentication provides improved security because it requires the user to meet two authentication criteria: a user name/password combination and a token or certificate, known as something you have, something you know.

Planning for two-factor authentication with single sign-on

If you plan to use strong authentication with single sign-on, the following strong authentication scenarios are supported:

• Requiring strong authentication when users log on to their corporate network, whether the user is logging on from within or from outside the corporate network. In this case, you should simply rely on your existing infrastructure for this requirement. No further deployment is required except for AD FS 2.0.  NOTE;  This mechanism is not support for Outlook during the Beta.
• Requiring strong authentication when users sign in to web applications from a non-domain joined machine, such as a home PC or internet kiosk. However users logging into the corporate network or accessing services within the corporate network do NOT require strong authentication mechanisms to sign in. For this case please see the section on "Deploying two-factor authentication with single sign-on for web applications".

The following scenarios are not supported for use with single sign-on and strong authentication:

• Step up scenarios: This is where the user is not logged in using strong authentication mechanisms but tries to access a High Business Impact SharePoint Online site that requires strong authentication.
• Requiring strong authentication when using rich client applications, such as Outlook, from non-domain joined machines, such as a home PC or internet kiosk.

•  
  • NOTE:  Strong authentication for rich client applications can be supported as long as the machine is domain joined and the action of joining the machine to the corporate network requires strong authentication.

Deploying two-factor authentication with single sign-on for web applications

This section describes the deployment options to enforce strong authentication with SSO for users accessing Office 365 web applications web outside the corporate network (for example from a web kiosk or from home).

There are two options available:

• Integrate the AD FS 2.0 proxy login page with your strong authentication provider: In this option, you can customize the AD FS 2.0 proxy login ASPX page introduce extra fields for the users to enter extra factors for authentication. This would involve integration with your two-factor authentication servers or services
• Use the Forefront Unified Access Gateway (UAG) SP1 server: In this option, you can use a Microsoft Forefront Unified Access Gateway (UAG) SP1 server. This gateway supports a wide range of two-factor authentication providers, as well as direct access to an expanded set of scenarios involving two-factor authentication. The following articles provide more details about Forefront UAG SP1 and setting up:
• Overview of AD FS 2.0 with Forefront UAG
• Remote partner employee access using claims (this is similar to the Office 365 scenarios)
• Deploying Forefront UAG with AD FS 2.0
• Planning for front-end authentication (how to enable two-factor authentication)