Multi-factor authentication (MFA) is useful in legacy OT environments because it makes stolen passwords much less valuable, especially as remote access and vendor connections become more common. But it also explains that rolling out MFA in OT is much harder than in normal IT systems. Many older industrial devices do not support modern login methods, some rely on shared accounts, and even small delays or login failures can interfere with time-sensitive operations. In these environments, uptime and safety come first, so a badly designed MFA rollout can be seen as an operational risk rather than a security improvement.

Its main recommendation is to introduce MFA carefully and in stages instead of trying to force it everywhere at once. It suggests starting with the highest-risk access points—such as remote vendor access, jump hosts, and remote access gateways—where MFA adds strong protection without touching every machine on the plant floor. The post also emphasizes using OT-friendly solutions that can work offline, support local failover, and fit older protocols, while making sure IT, OT, vendors, and leadership coordinate closely. The overall message is that MFA can work in legacy OT, but only if it is designed around industrial reliability and safety requirements.

‍

Source: https://gca.isa.org/blog/the-challenges-of-mfa-adoption-in-a-legacy-ot-environment