To schools and educational institutions
Get the feeling that you are protected by logging in.
Get the feeling that you are protected by logging in.
~What if “PC login” is the biggest blind spot in your school’s security?~
~What if “PC login” is the biggest blind spot in your school’s security?~
1. New threats and background of information leaks in educational institutions
With the advancement of the GIGA School Initiative and ICT education, many schools have teachers, staff, and students who use PCs and tablets on a daily basis.
However, at the same time, there has been a constant stream of information leaks due to the physical loss or theft of PC terminals and unauthorized access by insiders.
According to the IPA’s 2024 report, approximately 80% of data leakage incidents in Japan are caused by “misuse of authentication information,” and in particular, in educational institutions, the fact that “MFA (multi-factor authentication) is not implemented when logging into the OS” is a major factor in expanding the damage.
In order to plug “invisible holes” in the school environment, such as teachers’ take-home PCs and remaining accounts of former staff members, it is essential to strengthen security at the time of logging into the OS.
2. What is applippli-key (hereinafter referred to as applippli-key)?
The applippli-key is a security solution that protects the information assets of schools and educational institutions by forcibly adding multi-factor authentication (MFA) when logging on to a Windows PC.
- Supported OS:Windows 10/11, Windows Server 2016 or later
- Authentication method:TOTP (Google/Microsoft Authenticator compatible)
- Encryption:AES-256
- Price (excluding tax):Client version monthly: JPY 600/initial fee: JPY 8,000 (per unit)
- Features:
・No server required, ready in about 5 minutes after installation
・No administrator settings required, easy to install
・MFA is enforced when logging on to a PC, blocking unauthorized use of portable and shared terminals
・Flexibly adapts to school PC environments, regardless of whether SaaS is introduced
・Easy to install, and can be operated separately for administrators and general users at school
・Compatible with offline environments and operations centered on campus LAN
3. Why is MFA necessary for OS login?
【1】 Limitations of password authentication
Phishing, dictionary attacks, password reuse… These risks also occur in schools. Authentication that relies on a single password leaves the “gateway to information” in educational settings unprotected.
【2】Risk of information leakage when devices are lost or stolen
Faculty and staff PCs are taken out for extracurricular activities, business trips, telework, etc. If MFA is not implemented for OS login, internal information can be accessed immediately if the device is physically stolen.
【3】Internal fraud, access by former staff
The Board of Education’s audit report also reported cases of unauthorized logins using IDs that can be used after leaving the university. In order to clarify “who, when, and on which PC” the operation was performed, it is necessary to strengthen personal authentication at the OS login level.
4. Actual cases of information leakage (impact of not implementing MFA)
[Case 1] Shiga University (2023)
・Summary:A teacher lost a work laptop while on a business trip. Approximately 1,200 student lists were stored.
・Cause:Password authentication only. MFA not implemented, no encryption.
・Impact:Apology to students, loss of credibility of the university.
・Lesson:If MFA had been installed for OS login, the inability to boot could have been eliminated, resulting in zero actual damage.
・Source:NHK Shiga (June 2023)
[Case 2] Osaka Education University (2019)
・Summary:A faculty member lost a PC containing career and evaluation information for over 800 graduates on a train.
・Cause:Only OS password, no MFA.
・Lesson:As an education university, it is urgent to introduce MFA to protect the trust of students.
・Source:Yomiuri Shimbun (October 2019)
[Case 3] Fukuoka University of Education (2022)
・Summary:A PC was left behind in a cafe. Approximately 1,000 student records were stored.
・Cause:Only password. No login MFA or encryption.
・Impact:No reports of unauthorized use. Measures to prevent recurrence announced.
・Source:Fukuoka University of Education website (2022)
[Case 4] Aichi Prefectural High School (2021)
・Summary:Staff ID was used even after leaving the company, leading to unauthorized access to the academic system.
・Cause:Account was not disabled, MFA was not set.
・Lesson:ID deletion and OS-level MFA enforcement are essential.
・Source:Aichi Prefectural Board of Education Audit Report (2021)
[Case 5] Yokohama City Junior High School (2020)
・Summary:Staff room was broken into and PC was stolen. Includes student roster and home environment information.
・Cause:ID/PW only. No MFA or physical lock.
・Lesson:Physical theft countermeasures and OS login MFA should be considered together.
・Source:Kanagawa Shimbun (2020)
5. Effects of applippli-key Implementation (Comparison between Before/After Implementation)
| Item | Before Implementation | After Implementation |
|---|---|---|
| Security of authentication | Password only. Easily broken | Double authentication with one-time code |
| Risk of information leakage | If device is stolen, immediate access is possible | MFA blocks startup |
| Management cost | Measures put off. Post-event response is burdensome | PoC implementation allows for gradual expansion |
| Responding to education committees and parents | Accountability is a heavy burden | MFA already implemented advance measures are used as explanatory materials |
※Scrolls horizontally
6. Proposal
First, we recommend that you install applippli-key on the management terminals of the information system staff and the academic affairs department and operate it as a PoC (proof of concept).
The applippli-key is a “security strengthening measure for the digital transformation era of education” that directly leads to the following in schools:
- Block unauthorized operation at the OS level
- Measures against loss of portable terminals
- Prevention of internal fraud and impersonation of former staff members
For the safe development of ICT education. Why not protect against the “invisible entrance” of OS login?