At TNC2013 SURFnet presented a study on the architecture and processes for a multi-factor authentication (MFA) cloud service for services in a SAML federation. Continuing on that work we evaluated existing solutions, piloted with vendors of MFA solutions and decided to develop a new service, developed this service and a business model for the service and finally took the service in production as "SURFconext Strong Authentication" in august 2015. In this talk we present the ideas we developed while designing and building the software for this service and the lessons we learned while running it in production for almost two years. We discuss what the "SURFconext Strong Authentication" service is, and what sets it apart from other MFA solutions and how our ideas have evolved since then. Then we discuss the architecture of the solution and describe how we employed SAML in novel ways to solve several architectural problems and we look forward to future planned work. The software that runs the service is publicly available under an open-source license. See https://openconext.org/stepup for more information.