The call for improving authentication in Operational Technology (OT) environments is growing in volume and urgency. Incidents over the past decade—from power grid compromises to ransomware incidents in water facilities—underscore the risks related to weak or absent authentication. In the enterprise IT world, Multi-Factor Authentication (MFA) is (rightly) considered table stakes. But implementing MFA in industrial networks built before the internet was more than a curiosity is a non-trivial problem.

In this article, we’ll take a structured look at the internal realities and constraints of OT environments, the technical and historical context for legacy protocols, and the architectural strategies for adding MFA without causing unplanned downtime or technological breakage. Security is essential—but so is maintaining continuous, safe operations.

MFA seeks to verify user identity through two or more “factors”: something you know (password), have (token or smartcard), or are (biometrics). In the typical IT context, implementations rely on application-layer protocols—SAML, RADIUS, LDAP, OAuth, or cloud-based services.

In OT, the majority of legacy systems simply aren’t designed for this. HMIs might be accessed via VNC, proprietary clients, or even directly at the panel with no OS-level logon. Protocols like Modbus/TCP, Profinet, or BACnet perform no authentication of their own.

• VPN MFA: Most industrial-strength VPNs (hardware or software) can be integrated with centralized authentication (RADIUS, SAML, etc.), allowing MFA even for legacy client endpoints.

• Remote Desktop/Jump Hosts: Microsoft’s NPS (RADIUS) or third-party products can enforce MFA for RDP sessions.

• Web-based HMIs and Applications: Where possible, use modern SSO/MFA providers as a wrapper to existing interfaces.

If device-level improvements are needed, advocate for upgrades/replacements as part of medium- or long-term planning, not as an urgent quick fix.

Focus on pragmatic, outside-the-device controls (jump hosts, VPN portals, network segmentation), test exhaustively, and foster real partnership between IT and OT. The road is slow, but the alternative—waiting for an incident—will always be worse.