This is a question related to Windows Credential Provider Implementation

I want to follow up to this question. We have a custom MFA solution that prompts for sms/pin after windows has finished authentication before letting the user in. Unfortunately on windows 2016 and windows 10,winLogon.exe does not wait for the custom mfa solution prompt to close if there is no activity, it just happens to log the user in, defeating the purpose of having a mfa prompt.

I have deployed a custom credential provider using the Windows Credential Provider framework. I know windows calls ReportResult function (https://msdn.microsoft.com/en-us/library/windows/desktop/bb776030(v=vs.85).aspx) after finishing the authentication to report the status back, but at this juncture i expected WinLogon.exe to wait (at this point my custom mfa prompts for challenge) for this function to return, instead it seems to just wait for ~2 mins and logs the user in.

Can anyone help me control this behaviour.

Unfortunately, you can't use ReportResult function to block the credential provider. This function is particularly useful if the authentication fails, to update the logon screen. If you want to implement a counter of fails, for example.

In your case (MFA), you should ask for sms/pin after the user clicked on the submit button, so in the GetSerialization function. You can do this by creating a new window that ask the sms/pin. Then, when the user send the sms/pin, system checks the username/password with LSA and the sms/pin with your algorithm.

You can't ask the user for sms/pin according to the password authentication result.