Board meetings are among the most sensitive events in any organization’s calendar. Financial data, M&A targets, executive compensation, strategic plans — all of it flows through board communications. A single breach at this level can trigger regulatory action, market consequences, and lasting reputational damage. The OECD has consistently called on boards to treat security protocols as a governance priority, not an IT afterthought.
Multiple Factor Authentication (MFA) is one of the most practical measures boards can take. Microsoft research shows MFA blocks over 99.9% of automated account compromise attacks. But not all MFA is the same — and understanding the difference matters more now than ever.
What is Multiple-Factor Authentication?
Multiple Factor Authentication is a system that requires users to provide more than one form of identification before gaining access to a platform. Traditionally, logging into systems involves providing a username or email and a password. MFA adds an additional layer of security, requiring further verification once the usual credentials have been entered.
This extra verification can take several forms: a unique code, a hardware token, a fingerprint, or a facial scan. The principle is straightforward. Even if an attacker gains access to a password, they still cannot log in without providing the second factor. This greatly reduces the risk of unauthorized access, data breaches, and credential theft from phishing or malware attacks.
MFA is based on three categories of factors:
- Something you know — passwords, PINs
- Something you have — a mobile device, hardware token, or authenticator app
- Something you are — biometrics such as fingerprint or facial recognition
Understanding board vulnerabilities
Cyber risks are rising and the stakes for corporate governance are higher than ever. The average cost of a data breach reached $4.88 million in 2024, the highest figure on record, according to IBM’s Cost of a Data Breach Report. Boards are a primary target because of the value of the information accessible through board-level accounts: financial projections, regulatory filings, confidential negotiations, and board decisions that can move markets if leaked early.
Beyond direct hacking, the main methods for compromising board accounts are physical device theft, credential theft, and social engineering tactics like phishing. Human error — whether inadvertently sharing credentials or storing login details on a personal device — is a persistent vulnerability. Routine training and clear password hygiene policies address part of this risk. Physical security measures, including MFA, address the rest.
Combining both approaches is important. Training without access controls leaves gaps. Access controls without trained users leave gaps. Neither is sufficient on its own.
Read here: What is Cybersecurity?
Not all MFA is equal: the 2025 security tiers
The critical insight that has reshaped MFA guidance in recent years is this: simply having MFA is no longer enough. A staggering 79% of business email compromise victims already had some form of MFA enabled when they were breached. Attackers have shifted focus from stealing passwords to bypassing the MFA layer itself.
The main attack methods
- SIM swapping: Attackers convince a mobile carrier to transfer your phone number to their device, intercepting all SMS verification codes. This makes SMS-based 2FA particularly vulnerable.
- MFA fatigue: Attackers flood a user with repeated push notification requests until they approve one out of frustration. Simple “tap to approve” prompts are the primary target.
- Adversary-in-the-Middle (AiTM): Attackers trick users into completing MFA on a spoofed site, capturing the session token in real time.
The security ranking
Security frameworks, including NIST SP 800-63B, now rank MFA methods by their resistance to these attacks:
| MFA method | Security level | Key vulnerability |
|---|---|---|
| SMS / email one-time code | Low (legacy risk) | SIM swapping, interception, phishing |
| TOTP authenticator app (e.g. Google Authenticator) | Moderate | Phishing (user can be tricked into entering code on fake site) |
| Push notification — basic approve/deny | Moderate | MFA fatigue attacks |
| Push with Number Matching | High | Requires user attention; conditional for high assurance |
| FIDO2 security key / Passkey | Very high — phishing-resistant | Physical loss of device only |
FIDO2 and passkeys are considered the gold standard. They use public-key cryptography that cryptographically binds authentication to the legitimate website, making phishing technically impossible. Major technology platforms and regulated industries are now mandating this shift.
For boards specifically, where the sensitivity of materials is highest, phishing-resistant authentication is the appropriate standard.
MFA and regulatory compliance
MFA is no longer just a best practice — it is increasingly a legal requirement.
- NIS2 Directive: Strengthens authentication requirements for organizations across critical sectors in the EU, with board-level accountability for implementation.
- DORA (Digital Operational Resilience Act): Enforces strict MFA requirements for financial institutions operating in the EU.
- PCI DSS v4.0.1: Required MFA for all access to payment card data environments as of March 2025.
- GDPR: Mandates secure authentication controls for any system processing personal data.
Organizations that do not meet these requirements face regulatory penalties and, in the event of a breach, significantly higher liability exposure. For boards overseeing compliance programs, MFA at the governance level is also a credibility signal: it would be difficult to enforce authentication standards across the organization while board systems themselves remain unprotected.
Fortifying boards with MFA
As boards turn to service providers to manage their day-to-day governance activities, security features and standards have become a primary selection criterion. Displaying useful features and clean interfaces is important, but far from sufficient. Reliable providers must implement authentication controls that meet current threat standards.
MFA stands out as a concrete protective measure boards should confirm is in place — and should see as a strategic investment in the organization’s governance resilience. When a board portal is breached, the damage goes beyond data loss: it undermines the trust and credibility of the entire governance function.
DiliTrust’s Board Portal: security built in
The DiliTrust Board Portal is designed to meet the security demands of boards operating under regulatory scrutiny. Its security architecture includes:
- Two-Factor Authentication (TFA) and Single Sign-On (SSO) integration — organizations can connect DiliTrust with their existing identity management infrastructure, centralizing authentication controls and user provisioning.
- End-to-end encryption — data is encrypted before leaving the user’s device and decrypted securely at the destination server, protecting communications at every stage.
- Granular access control — permissions can be set down to the individual document level, including separate rules for viewing, printing, and downloading. Sensitive agenda items can be restricted to specific committee members.
- Document watermarking — watermarks identify the source of any leaked document, deterring unauthorized sharing.
- Inactivity timeout — users are automatically disconnected after a configurable period of inactivity, preventing unauthorized access from unattended devices.
- Full audit trail — three log types (accessed content, login reports, activity reports) track every action on the platform. Administrators can identify unusual behavior, such as a user exporting large volumes of documents, in real time.
DiliTrust holds ISO 27001 and ISO 27701 certifications and is fully compliant with GDPR and data protection regulations. All data is hosted on ISO 27001-certified servers. The platform currently manages more than 15,000 boards and stores over 5 million documents for more than 100,000 users worldwide.
Read here: Data Privacy and Security: DiliTrust certified ISO 27001 and ISO 27701
FAQ: board security and MFA
MFA is a security method that requires users to verify their identity using two or more independent factors before accessing a system. These factors are typically something you know (a password), something you have (a device or token), and something you are (biometrics). By requiring multiple factors, MFA significantly reduces the risk of unauthorized access even when a password has been compromised.
MFA is an essential layer, but it works best as part of a broader security architecture. End-to-end encryption, granular access controls, audit trails, and regular user training are all necessary alongside MFA. The type of MFA also matters: SMS-based verification is vulnerable to SIM swapping, while phishing-resistant methods like FIDO2 and SSO integrations provide stronger protection for high-sensitivity environments like board governance.
FIDO2 security keys and passkeys are currently the most secure MFA methods available. They use public-key cryptography that makes phishing technically impossible by cryptographically binding authentication to the legitimate website. Regulatory frameworks including NIST SP 800-63B and PCI DSS v4.0.1 now reference or recommend phishing-resistant methods as the standard for high-assurance environments.
Yes. Both the NIS2 Directive and DORA require strong authentication controls for organizations within their scope. NIS2 covers critical sectors across the EU and mandates board-level accountability for cybersecurity measures. DORA applies to financial institutions in the EU and enforces strict authentication requirements as part of broader digital operational resilience standards. Non-compliance can result in significant penalties.
