I am wondering whether it is possible to use Windows Server with Network Policy Server + Google (https://en.wikipedia.org/wiki/Google_Authenticator) or Microsoft Authenticator (https://www.microsoft.com/en-us/store/apps/authenticator/9wzdncrfj3rj) to get two-factor authentication. I found description how to configure it for linux based RADIUS http://www.supertechguy.com/help/security/freeradius-google-auth
There are also some guides how to configure Windows Server with NPS + licensed appliance which support two-factor authentication
http://www.techworld.com/tutorial/security/how-to-implement-two-factor-authentication-with-windows-server-2008-nps-3223170/
but this require user licenses.
We plan to get rid of RSA hardware tokens used for Citrix external access and Cisco VPN two-factor authentication