Keep in mind that we already have two different options for 2FA, and email-to-SMS provides a supplement to the second option.
My suggestions for product development:
Differentials based on internal or external connections. Internal could be detected based on private IP or explicitly specified IP range(s).
- Option 1: Allow domain admin to specify that 2FA is not required for internal connections.
- Option 2: Independently specify Webmail, EAS, EWS, and MAPI are allowed from external connections.
To support additional 2FA technologies, the most important feature is to implement a RADIUS client. I think you will find most 2FA products support that connection method. Microsoft NPS implements a RADIUS server which provides an option for testing.
TACACS+ is reportedly more secure, but seems less widely used. Supporting it would be desirable.
LDAP is a third option, but seems least commonly used for 2FA
WIKIDSYSTEMS.COM has detailed step-by-step instructions for configuring there 2FA solution with many products. It is a good example of what good documentation can be like, and it will simplify efforts to integrate with them.
DUO.COM is another product that I have mentioned and admire.
I believe both
Wikidsystems.com and
Duo.com have limited-use free versions that will allow developers to perform integration testing without laying out cash to the vendor.
I have no experience with Twilio. Perhaps an existng user can confirm whether they use RADIUS, TACACS+, LDAP, or something else.