I know there is nothing built into Exchange 2010 OWA to require two factor authentication but we would like to find something that would accomplish this for a more secure OWA login. I know OWA would have to probably sit behind something we put in place. RSA came up but its expensive and we were looking for another solution. I don't know if ISA or Forefront TMG would provide this function by themselves or woud be need another plugin of some kind to accomplish this. Just wondering what others are doing. Part of this is also to try and block mobile devices like Android and Blackberry from accessing email using web apps like Touchdown etc which is basically OWA for your phone.

You can use TMG or microsoft UAG. Check this guide. http://www.microsoft.com/downloads/en/details.aspx?FamilyID=894bab3e-c910-4c97-ab22-59e91421e022&displaylang=en REgards Ron

In our 2 factore (token based) implementation we installed an ISAPI filter on an ISA server. It has two challenge pages - one (from ISA) for the username and password, then a second for the token, from an internal IIS website. Have you thought of using client certificates? The client needs to have the certificate installed to get access... Another method is to use came up in our testing. We had a self signed (internal) certificate and when accessing OWA, IE and Firefox clients could accept the untrusted cert, but mobile clients (specifically iPhone) could not connect as they needed the certificate installed first.