Re: Extortionate costs
Doesn't need to cost much. HOTP/TOTP is an open standard with a plethora of software tokens on all devices, and readily available reasonably-cheap hardware tokens. We've recently implemented this using the PrivacyIDEA 2FA system.
Didn't take me long, and absolutely zero spend.