Don't understand why people think it costs
We don't have many external-facing systems that matter, but when we implemented one recently we used TOTP (Time-based One-Time Password that is, not Top Of The Pops.) No licenses to buy it is all either free or Free software.
Many of us resist using our own phones for corporate stuff but for people who use Google Authenticator for everything anyway it was not really a hardship to add one more entry to its list. People who couldn't or didn't want to got shown how to install the Authenticator browser extension instead which is at least 1.75FA and better than nothing.
I take the point from @Caff above "what about the auditing costs" but we had to have it audited anyway no matter how many FA we put in.
Biting the hand that feeds IT
