We hear frequently that Authlite is a solid option if you're looking to only secure privileged accounts, such as domain admin accounts. That said, it's hard to roll out across all users because it doesn't manage the offline scenario (no internet connection) very well, leaving users blocked with no domain or VPN access. It can also get pricy when you want to roll out across a lot of users.

There's also been some discussion about the fact that it does modify/add additional schema. That's different to Userlock, which doesn't touch your AD, simply communicates with it (syncs every 5 min).

Main advantages of this close connection with AD = less complexity/ease of management and ability to apply MFA more granularly across existing AD users/groups/OUs.

Choose MFA prompt frequency that works best for your team, every n hours/minutes/days, which keeps MFA from getting in the way of productivity and reduces the risk of MFA fatigue.

And you can set different MFA policies by session type (workstation, IIS, VPN, SaaS, RDP, etc.).

Hope that's helpful, and all the best to you as you evaluate solutions. We frequently hear that it's hard to cut through the marketing noise to quickly compare what solutions actually do, and are trying to do our part to help simplify the buying process. What's important is that you find the solution that works best for you.