Deploying Multi-Factor Authentication (MFA) in an OT or on-premise environment costs roughly $30 to $60 per user in hardware, $0 to $6 per user per month in software licences, and about a third of the project budget in operations, covering training, helpdesk, and the corner cases that don't appear on a cloud pricing page.
For defense contractors, utilities, and manufacturers facing CMMC, NIS2, and NERC CIP obligations, MFA is not optional. The real question is how to budget for it without overspending on token form factors that won't fit the plant floor.
Trout takes a different angle: shift MFA to the network micro-segment, and let operators associate themselves to flexible enclaves for the duration of a task or shift.
This post breaks down the direct and indirect costs, compares the six approaches you will actually choose between, and outlines a budgeting approach that survives contact with operators.
Comparing the Six OT MFA Approaches
Most plants end up mixing two or three of the options below. The cost question is rarely "which one". It is "which mix, for which role."
| Approach | Per-user hardware | Software / licence | Ops & training | Where it fits |
|---|---|---|---|---|
| Badge tap + PIN at HMI | $15 to 40 reader, $2 to 8 badge | Local IdP or built-in (~$0 to 4/user/mo) | High at first; low once routines settle | Shop-floor HMIs, shared workstations, kiosk consoles |
| FIDO2 hardware key | $25 to 55 list, ~$25 to 35 in volume | IdP supports FIDO2 (often included) | Re-issuance and lost-key process | Engineers, jump hosts, ICCP gateways, vendor remote-access |
| Smart card + PKI (PIV/CAC) | $4 to 10 card, $30 to 80 reader | PKI infrastructure (1+ FTE on a medium estate) | High; cert lifecycle, CRLs, expirations | Defense contractors, regulated utilities with existing PKI |
| Mobile authenticator (TOTP / push) | $0 if BYOD; $150 to 250 for managed handsets | $3 to 6/user/mo cloud IdP | Low where phones are already allowed | Office staff, control engineers, remote-access users |
| Printed OTP / break-glass | ~$0 | $0 | High; secret handling, audit | Air-gapped sites, offline fallback |
| Trout enclave-MFA (network micro-segment) | Reuses any existing factor (badge, FIDO2, mobile) | Per-site Trout licence | Low; one network boundary, no per-device agent | Mixed IT/OT estates, legacy HMIs, plant-floor at scale |
A defense contractor will typically pair PIV cards on engineering laptops with badge-and-PIN at HMI cells. A utility will run FIDO2 keys on the vendor remote-access path and badge readers everywhere else. The mix depends on the role and the site, not on a single enterprise standard.
Why OT and On-Premise Deployments Cost More
A handful of constraints break the IT-style cost model before pricing even starts.
- Shared workstations: A single HMI is operated by ten or twelve people across three shifts. Per-seat licensing assumes one human per seat, which does not reflect plant-floor reality. Either you pay for concurrent sessions, or you provision every operator individually and accept the login overhead.
- Air-gapped sites: Cloud-IdP push notifications assume the device can reach the internet. Many OT sites cannot. The alternatives are an on-prem IdP, a local credential cache, or hardware tokens that do not require a network. Each has its own cost shape.
- Latency requirements: A two-second cloud round-trip on every login is acceptable for finance and HR. It is not acceptable for an operator responding to an alarm. Plant-floor authentication has to resolve locally, which usually means a different licence tier or self-hosted infrastructure.
- Gloves and badges: Operators wear gloves. Touchscreens, fingerprint readers, and most consumer-grade biometric devices do not work through them. RFID badges paired with a separate PIN remain the most common practical fit.
- Legacy HMIs: A significant share of HMIs in production run Windows 7, XP-embedded, or a vendor stack frozen at a specific patch level. They cannot host a modern authentication agent. The solution is usually a proxy: a jump host, a reverse proxy, or network-level access controls in front of the HMI. That is a separate budget line.
Indirect Costs and Operational Realities
Beyond the listed hardware and licence figures, OT deployments carry indirect costs that often determine whether a project lands on budget.
- Token attrition: Plant-floor tokens get dropped, washed, or damaged. Plan for 8 to 12% re-issuance per year at sites with mixed indoor and outdoor environments.
- Shift-handover friction: If MFA slows handover, operators will route around it: a shared session, a propped door, a sticky note. Either the UX absorbs the friction through fast re-authentication, or the security posture absorbs it through unrecorded access.
- PKI lifecycle: Smart cards require ongoing certificate issuance, revocation, and renewal. Budget at least one dedicated FTE for a medium estate, with re-card cycles every two to three years.
- Pilot rework: The first pilot at any new site reveals unanticipated cases: printers that need exempted service accounts, vendor laptops that cannot enroll, buildings without signal. Budget 15 to 25% of project cost for unplanned iteration.
- Helpdesk surge: Expect a 3 to 5× ticket spike in the first six weeks of rollout. Underprovisioned support is where unauthorized MFA workarounds begin.
Compliance and Regulatory Drivers
MFA in OT is no longer a purely security-driven decision. Four frameworks make it a contractual obligation:
- NIST 800-171 §3.5.3 (mirrored in CMMC Level 2): MFA for both privileged and non-privileged accounts, for local and network access, on systems handling Controlled Unclassified Information. There is no exception for plant networks.
- NIS2 Directive (Annex I sectors): explicit MFA expectations for essential and important entities, including energy, water, food, transport, and manufacturing of critical products. Member-state transposition varies, but the floor is consistent.
- NERC CIP-007 R5.7: MFA for interactive remote access to Medium- and High-Impact BES Cyber Systems. Documented gaps now attract seven-figure penalties.
- IEC 62443-3-3 SR 1.1: identification and authentication of human users, increasingly referenced in customer security questionnaires and DoD-adjacent contracts.
If a site is in scope for any of the above, the question is no longer whether to deploy MFA, but how to deploy it without buying tools that do not fit the operational reality.
How Trout Approaches MFA Across IT and OT
The cost picture changes when MFA is enforced at the network layer rather than on every endpoint. Trout deploys an enclave around the set of systems an operator needs to reach, with authentication at the enclave boundary instead of inside each HMI, PLC, or jump host.
In practice, an operator walks to any workstation, logs in once with MFA, and selects in two or three clicks the machines they will use for the shift. Their permissions are applied to those machines at the network layer, and every command issued during that session is logged against their identity. When the session ends, the enclave releases.
The same model scales from IT to OT without modification, because enforcement does not depend on what the endpoint can run. That removes the largest cost driver in OT deployments, which is legacy equipment that cannot host an authentication agent, and replaces it with a single network-level control point.
Budgeting for an OT MFA Rollout
Three practices consistently produce better budget outcomes:
- Pilot a single zone before site-wide rollout. A 30-day pilot in one cell or HMI cluster surfaces most cost surprises for a week of engineering time. Site-wide rollouts without a pilot are where unplanned iteration multiplies.
- Standardize one token form factor per role. Supporting FIDO2 keys, smart cards, and mobile authenticators concurrently for the same operator population triples helpdesk load and re-issuance logistics.
- Allocate one third of the budget to operations. Hardware and licences are visible from the start; operational cost is invisible until rollout begins. A reasonable first-deployment split is 35% hardware, 30% licences and software, 35% operations and training, adjusted after year one against real helpdesk data.
Trout consolidates access control, segmentation, MFA enforcement, and audit logging into a single on-premise deployment that the customer owns end to end. Adding a site or an operator group is a configuration change at the network layer, not a per-device rollout, so the operational cost of scaling does not grow with the estate.
Conclusion
MFA in OT and on-premise environments is more expensive than the cloud pricing page suggests, but the cost is well below the average $4.45 million data breach and well below the regulatory penalties now in force under CMMC, NIS2, and NERC CIP. A defensible budget starts with a single-zone pilot, a standardized token strategy per role, and an honest allocation for the operational work that does not appear on any vendor's price list.

