Seeing as I just did this at my place, yes cost does come up. 2FA on Windows login is - indeed - stupendously expensive.
We rolled out multiOTP on all RDP remote desktops (with the multiOTP "credential provider" in Windows). Takes a bit of fiddling but free and compatible with Google Authenticator. There's LDAP integration and a Hyper-V test image if you want to give it a whirl, or it can run on any Windows server. Works for RDP on standalone machines (if you want to use it at home), not just terminal servers (with central querying and offline caching).
By default it only applies it to RDP logins on the machines you install it on. But it can also block ordinary logins and demand TOTP keys just the same, so test with RDP and if it works like you want, roll it out for all desktop logins. And it can also function as a RADIUS server which gives you a lot more scope for usage.
Wordpress we have deployed a 2FA login for.
I'm slowly working down to Exchange OWA and basic-website-wrapping (it's possible but it's a faff involving reverse proxies and splash screens). If anyone knows a good free solution for either, that doesn't involve that Microsoft Forefront thing, or emailled tokens (pointless for securing webmail!) then let me know!
At the moment looking at Apache wrapped in a module that pushes unknown users to a form, which can be used to query multiOTP but it's a bit of hack.