To those who are in charge of local governments and public bodies
The first step in protecting resident information is to start with ‘PC login’
The first step in protecting resident information is to start with ‘PC login’
~An easy way to protect your My Number, resident registers and LGWAN-connected terminals ~
~ An easy way to protect your My Number, resident registers and LGWAN-connected terminals ~
1. Plugging the ‘last hole’ in municipal security
In recent years, with the My Number system and the promotion of municipal DX, information in local government operations In recent years, the importance of information systems in local government operations has increased dramatically in line with the My Number system and the promotion of municipal DX. In line with this, cyber-attacks targeting residents’ information and internal administrative data have also increased rapidly, and we are entering an era in which security must be strengthened on the premise that local governments are targets.
In response to this trend, the Ministry of Internal Affairs and Communications and the Local Government Information Systems Organisation (J-LIS) have formulated a policy for strengthening municipal information security and have promoted the development of a multi-layer defence system nationwide, including the introduction of LGWAN, internet separation and security cloud. However, most cyber attacks start with the theft of IDs and passwords.
The introduction of multi-factor authentication (MFA) per terminal is also an essential measure in the Policy for Strengthening Municipal Information Security promoted by J-LIS (Japan Local Authorities Information Systems Organisation).
*What is LGWAN?
It is an abbreviation for Local Government Wide Area Network, a closed network dedicated to local governments. It is completely isolated from the internet and is used for highly sensitive operations such as My Number and Basic Resident Registers.”
On the other hand, the reality is that in many local government sites, the defence of the “physical entrance” – the PC login – is an afterthought.
For example, the following conditions are often observed.
- LGWAN-connected terminals and terminals which are handling My Number are still logged in using “passwords only”.
- PCs are used by multiple people and there is no record of who operated them.
- Physical access control is lax, for example, allowing third parties to operate terminals when the user is away from the office.
- There are many cases where account information is used repeatedly and initial passwords are not changed.
This situation poses a fatal risk that no matter how much encryption and firewalls are in place on the system, it is impossible to prevent ‘human intrusion’ and ‘operation spoofing’.
Even if internal fraud or negligence occurs, if it is not possible to prove “who did what, when and why”, it becomes difficult for the organisation to be accountable and even to formulate countermeasures.
Against this background, the guidelines issued by J-LIS and the municipal audits carried out by each prefecture now specify specific checkpoints, such as operation history records, personal authentication for each terminal and appropriate account management.
Nevertheless, why does login authentication become the “last hole”?
The reason is clear: operational concerns and misconceptions that ‘strengthening OS logins is time-consuming’ and ‘seems difficult to implement’ are barriers to adoption.
To address this, we are proposing an MFA (multi-factor authentication) solution called applippli-key, which aims to ensure maximum security while minimising the time and effort required onsite.
This is an “entrance measure” that clarifies who is using the terminal and prevents unauthorised use, simply by adding one-time password authentication when logging in to the PC.
In addition, the system does not require large-scale system changes for implementation or operation, and is designed to take into account existing network configurations and the IT literacy of staff.
The security challenges faced by municipalities cannot be solved by “special equipment” or “new systems” alone.
Rather, it is awareness of and mechanisms for the “one-by-one terminals” used in day-to-day operations that are the greatest line of defence.
applippli-key builds a foundation of safety and trust from the login of each and every one of its terminals.
And it is a realistic and effective option that can both strengthen security in compliance with the J-LIS policy and reduce the burden on the field.
2. What is applippli-key?
It is an MFA solution that prevents unauthorised login to municipal terminals by adding a smartphone authentication application (TOTP) at PC OS logon.
- Supported OS: Windows 10/11, Windows Server 2016 or later
- Authentication method: TOTP (Google/Microsoft Authenticator compatible)
- Encryption: AES-256
- Price (excluding tax):
・Client licence JPY 600/month (initial cost JPY 8,000)
・Server licence JPY 55,000/month (initial cost JPY 100,000)
Features
- Ideal for LGWAN-connected terminals and My Number terminals
- Light to install and operate, independent of network configuration
- Complies with J-LIS guidelines in recording evidence
- Can be implemented in both cloud and on-premise environments
3. Why is MFA required for OS login?
| Issues | Contents |
|---|---|
| Insufficient entrance measures | If OS login is password only, anyone can access |
| Gap with J-LIS policy | Insufficient evidence and access control in security robustness |
| Hotbed of internal fraud | Spoofed use of shared PCs and loaned terminals, unclear responsibilities |
| My Number protection crisis | Lack of control over physical access to terminals while away from the seat or data in an unencrypted state |
※Scroll horizontally
4. Before/After MFA introduction
| Items | Before introduction | After introduction |
|---|---|---|
| Authentication security | Password only | One-time password to strengthen identification |
| Trail management | Unknown operation history with shared accounts | Login history can be acquired, easy to respond to audits |
| Internal fraud risk | Spoofing when away from the desk/office or on loaned PCs. | Clarification of the subject of operation by MFA |
| Safety of resident information | Possibility of taking out USB and internal leakage | Blocking unauthorised access at the entrance |
※Scroll horizontally
5. Learning from damage cases (real examples)
[Case 1] Numazu City, Shizuoka Prefecture: unauthorised terminal access by ICT staff (Aug 2024 – Mar 2025)
• Summary: The four employees belonging to the ICT Promotion Division used the work terminal management system for private, non-work purposes, and illegally viewed and manipulated the terminal screens of other employees with a total of 2,867 times. Some of the unauthorised use included personnel information of specific employees.
• Cause: The administrator account was password-only and access control by MFA, etc. had not been introduced, which facilitated the abuse of authority.
• Damage/impact:
o Disciplinary action (suspension, pay cut, warning, etc.) issued
o The mayor apologised at a press conference and declared an agency-wide audit system and policy review
o The situation developed to the point where the trust of residents and employees was seriously damaged
• Measures: strict login control (MFA, multi-layer authentication) for privileged accounts and a regular monitoring system for operation history are essential.
• Source: Numazu City, Shizuoka Prefecture news release, etc.
[Case 2] Osaka City: Loss of PC containing welfare protection information (2019)
• Summary: An employee of the Welfare Protection Section of Osaka City took a PC containing information on welfare recipients on a business trip and lost it as it was. It took a long time from the loss to the report, and explanations to residents took a back seat.
• Target information: names, addresses, dependency and support records, DV damage history, etc. of welfare recipients.
• Cause:
o PC login management was password-only and MFA and terminal control had not been introduced.
o Security training and checks on business terminals were insufficient.
• Damage/impact:
o Hearing response from the Personal Data Protection Commission
o Criticised by Parliament and media, distrust of administrative information management.
• Countermeasure: Information with a high risk of harming specific individuals (DV, dependency, protection history, etc.) is what requires strong authentication management (MFA and lock control) at the terminal level.
• Source: Yomiuri Shimbun Osaka edition (March 2019) Osaka City Council, Municipal Government data (internal documents)
Other examples in recent years:
・Ginowan City, Okinawa Prefecture: unauthorised viewing of personnel information outside the department by an employee for a long period (discovered in 2021)
・Kobayashi City, Miyazaki Prefecture: unauthorised viewing of resident information by an employee (2021 – July 2024)
・Aichi Prefecture: official PC lost (June 2024)
・Hyogo Prefecture: information leaked from former bureau chief’s official PC (announced in May 2024)
It is said that these may be the tip of the iceberg.
However, most of these problems lie in the fact that the OS was easily opened due to vulnerabilities in the authentication for login and use.
This is precisely the point that most of the real damage could have been prevented if MFAs such as applippli-key had been introduced for OS logins.
6. applippli-key implementation process
- Hearing and selection of target devices
- PoC implementation (up to 10 terminals)
- Support for full-scale implementation and staff briefings
- Audit support and operation manuals are also provided
*PoC implementation (trial implementation) can be completed in as short as 10-20 minutes
7. Summary of proposals
applippli-key brings the following value to local authorities
- Protects resident information from the entrance by introducing MFA in line with J-LIS guidelines.
- Technically complements OS logon of LGWAN terminals
- Enhances operation trails and access control in the My Number system
- Minimises on-site burden with light introduction, low cost and easy operation
- Can be deployed in stages, starting with PoC introduction
Please contact us for introduction consultation, demonstration requests, quotations, etc.
Secure, easy and reliable login, a step forward in protecting the trust of residents.