Most cell phone number texting can be reached via email using <phonenumber>@<carrierdomain>.   One of SmarterMail's options for 2FA is to use the recovery email address.   It seems like this should suffice.

Alternatives for the long haul

DUO and WikidSystems are two products that offload the 2FA function, for a monthly cost per user.  DUO is probably the industry leader because it supports an abundance of 2FA communication methods (cell phone app, phone call, text message, maybe more.)     These solutions would require SmarterMail to be able to call a RADIUS (or TACACS+) server for authentication, instead of just Active Directory.  Because many organizations and users will want to minimize the number of 2FA solutions that users must learn and configure, integrating via RADIUS is probably a better approach than building their own implementation.

It would be a nightmare from an administrative side to do the carrier text option.

im talking just being able to text a code to someone. its gotta be doable. I use hundreds of products that do it.  How is no one else needing this?

You underestimate the infrastructure required.   You need an SMS gateway vendor, and an SMS submission software product.   We use ActiveXperts SMS Messaging (https://www.activexperts.com/sms-server/) for the product and CDyne (https://cdyne.com/) for our gateway vendor.   

SmarterMail is not a cloud product, so the cost of these components will fall on you.    Are you willing to absorb these costs, and does SmarterMail have enough clients willing to buy a compatible infrastructure for this to be a viable solution?   I am doubtful.

In the short term, your available solution is email-to-SMS.   I don't see the horrid complexity of this approach, but no need to argue.   The long-term solution remains RADIUS and DUO, because that is probably what your auto industry clients are using for their other 2FA implementations.

ST could just let the community work for them. Make the 2FA system extensible. Let the devs out here write their own 2fa plugins. We use SMS 2fa on other systems that we’ve custom developed for using RingCentral. They handle everything for us, we simply send the required API request.

Your topic motivated me to document some design issues related to 2FA, which I have provided in a separate post.

We could provide it, but It would need to use a third party service that you would need to subscribe to which had the ability for SMS approvals.  Would you pay for a such a service?  If so, which one?

Although they just laid off 11% of their workforce today!

Twilio is nice, we use RingCentral (as they also do our phone services) for our billing/control panel systems SMS-based 2FA.

Tim. I would need more information on the cost benefit. Right now my clients are just considering Gmail instead. Right now there is no option regardless of cost so they must consider others.

Any customer who wants to be treated seriously would post differently.  Especially after the CEO asks for information.

Alas, 2FA is becoming / has become a necessity for many. Everyone's a target these days. Nobody loves it but the risks grow daily, so the writing's on the wall.

My clients are doing without for now, but it's just a matter of time. And FYI these comments are not aimed specifically at ST.

As an admin, I use it wherever I can. 

So... just sayin' 

Keep in mind that we already have two different options for 2FA, and email-to-SMS provides a supplement to the second option.

My suggestions for product development:

Differentials based on internal or external connections.   Internal could be detected based on private IP or explicitly specified IP range(s).

- Option 1:  Allow domain admin to specify that 2FA is not required for internal connections.

- Option 2:  Independently specify Webmail, EAS, EWS, and MAPI are allowed from external connections.

To support additional 2FA technologies, the most important feature is to implement a RADIUS client.   I think you will find most 2FA products support that connection method.   Microsoft NPS implements a RADIUS server which provides an option for testing.

TACACS+ is reportedly more secure, but seems less widely used.    Supporting it would be desirable.

LDAP is a third option, but seems least commonly used for 2FA

WIKIDSYSTEMS.COM has detailed step-by-step instructions for configuring there 2FA solution with many products.   It is a good example of what good documentation can be like, and it will simplify efforts to integrate with them.

DUO.COM is another product that I have mentioned and admire.

I believe both Wikidsystems.com and Duo.com have limited-use free versions that will allow developers to perform integration testing without laying out cash to the vendor.

I have no experience with Twilio.  Perhaps an existng user can confirm whether they use RADIUS, TACACS+, LDAP, or something else.

BTW I maintain domain names for myself and my clients on enom.com. They have pseudo-3FA on browser access:

Login + Authenticator + 2 challenge questions (counts as ~1F)

Besides that enom had a major systems meltdown when upgrading their servers many months ago, they've been very good since. Indeed, their service has even improved.