The Reality of Cyberattacks and the Potential of FIDO Authentication: Lessons from the Oita Tokiha Incident and Next-Generation Defense Strategies

Chapter 1: The Tokiha Group Incident – A Catastrophe That Struck Modern Retail

In March 2025, the Oita-based Tokiha Group, a department store chain supporting the regional economy, was thrust into the midst of a cyberattack that shook the foundation of its business. This incident was not merely a technical one; it became a symbolic case study, revealing the vulnerability of modern retail and the catastrophic impact of cyberattacks. The damage extended beyond a temporary business suspension, resulting in months of dysfunction and, ultimately, the worst-case outcome: a massive data breach affecting hundreds of thousands of customers. Understanding the full scope of this disaster provides essential lessons for all companies facing similar risks.

Initial Confusion and Business Paralysis

The first signs of an anomaly were detected on March 30, 2025 ¹. Initially recognized as a “system failure,” the investigation soon revealed its grave nature: multiple group servers had been encrypted by ransomware ¹. Ransomware is a malicious type of malware that holds data hostage and demands a ransom in exchange for decryption. As a result of the attack, the core systems of Tokiha Industry’s supermarkets—specifically, systems managing procurement and sales—were rendered entirely inoperable ³.

Faced with this situation, management had to make a difficult decision. On March 31, Tokiha Industry announced a temporary closure of all 23 stores in Prefecture ⁵. This unprecedented shutdown of supermarkets—vital infrastructure for the local community—not only caused significant inconvenience to customers but also severely damaged the company’s credibility. This chaotic initial response clearly demonstrated that ransomware is not merely a data issue—it can directly paralyze physical business operations.

Prolonged Dysfunction and Invisible Economic Losses

Although store operations resumed the following day, this did not mean the problem was resolved. In fact, the depth of the damage became more apparent thereafter. The destruction of core systems had a grave impact: critical customer services such as credit card payments and loyalty point programs remained suspended for about two months ⁸. Customers were forced to pay in cash, and they were unable to earn or redeem points. This likely led to a significant decline in customer satisfaction and accelerated customer attrition to competitors.

Moreover, the dysfunction directly affected seasonal sales strategies—for example, the start of orders for mid-year gift campaigns (ochugen) was postponed to late June ⁸. These facts indicate that the damages from a cyberattack go far beyond the direct cost of a ransom payment. Rather, “invisible costs” such as loss of business continuity, customer churn, and brand damage can silently erode the company’s foundation.

To quantify this type of damage, the “2024 Cost of a Data Breach Report” by IBM and the Ponemon Institute offers important insights. According to the report, the global average total cost of a data breach reached USD 4.88 million, the largest increase (10%) since the pandemic ¹¹. The largest portion of this cost is “lost business,” averaging USD 1.47 million, due to downtime and customer churn ¹⁵. The two-month paralysis of Tokiha Group’s payment systems is a textbook example of these “lost business” costs becoming reality. The key takeaway is that the primary objective of ransomware defense is not merely to avoid paying ransom, but to ensure business continuity.

The Final Tragedy: Massive Personal Data Breach

In July 2025, Tokiha Group was forced to announce the worst-case outcome: during the ransomware attack, the attackers had not only encrypted data but also exfiltrated a large volume of information. The number of potentially leaked records reached approximately 449,000. The breakdown was shocking: up to 421,355 customer membership records (names, addresses, phone numbers, email addresses, purchase histories, etc.), including 127,263 credit card records (card number, cardholder name, expiration date) ¹⁷. In addition, information on business partners, dispatch/contract workers, employees, and even their families was affected ¹⁷.

こThis indicates that the attackers employed “double extortion,” the standard method of modern ransomware ¹⁸. Attackers not only encrypt data to halt operations but also threaten to publish stolen data, pressuring companies to pay even if they can restore systems from backups.

This large-scale leak will burden Tokiha Group with long-term liabilities: loss of customer trust, mandatory reporting to data protection authorities, notifications to affected individuals, and potential class action risks—all of which require enormous cost and time ²¹. IBM’s report also points out that the average cost per record continues to rise, and the leakage of personally identifiable information (PII) is one of the biggest cost drivers ¹².

The Tokiha Group case makes it clear that ransomware attacks are no longer mere data encryption incidents. They paralyze business, destroy customer trust, and impose long-term financial and legal burdens—a complex corporate disaster. Therefore, defense strategies must focus not only on strengthening backups but also on preventing the initial intrusion in the first place.

Chapter 2: Ransomware Tactics – Unpacking the Attacker’s Monetization Playbook

Catastrophic damage like that suffered by Tokiha Group does not occur magically. Behind it lies a systematic and efficient “attack playbook” established by cybercriminals. Understanding this playbook is the first step toward effective defense. Modern ransomware attacks exploit a narrow set of common weaknesses—surprisingly limited entry paths.

The Main Battlefield: Remote Access Infrastructure

Recent cybersecurity reports consistently point to the same primary entry paths: remote access infrastructure. Specifically, VPN (Virtual Private Network) appliances and RDP (Remote Desktop Protocol) endpoints are prime targets for attackers ²². Statistics published by Japan’s National Police Agency also show that intrusions via VPN appliances are disproportionately reported as infection vectors for ransomware ²⁴.

Why are these infrastructures targeted? Mainly for two reasons. First, by their nature, these services must be exposed to the public internet, making them reachable by attackers worldwide ²². Second, these devices and protocols often have security flaws—for example, unpatched known vulnerabilities ²⁵, or weak/default passwords left unchanged ²⁴. Attackers exploit these weaknesses using brute-force attacks or password spraying to gain an initial foothold into the organization’s network ²⁴.

For businesses, this is a critical insight: tools designed to improve employee productivity (remote access) have become the greatest security weak points—the main battlefield of cyberattacks. The security level of these entry points directly determines the organization’s vulnerability to ransomware.

The Key to the Attack: Stolen Credentials

Another major entry path is theft of legitimate credentials (ID and password) and logging in as a normal user. IBM’s “2024 Cost of a Data Breach Report” shows that “stolen or compromised credentials” account for 16% of initial attack vectors—making it the most common ¹¹. Even worse, these incidents take the longest to detect and contain—an average of 292 days—because the attacker masquerades as a legitimate user and blends in.

How are these credentials stolen? Through phishing an old but still highly effective technique. A 2024 survey reports that 52.3% of ransomware attacks originate from email or phishing ²⁹. Attackers send sophisticated fake emails impersonating vendors, IT departments, or major cloud providers such as Microsoft ³⁰. Users who click links are redirected to a fake login page that looks genuine, where they unknowingly enter their IDs and passwords ³³.

The Cybercrime Ecosystem: Initial Access Brokers (IABs)

The threat of modern ransomware is amplified by the RaaS (Ransomware-as-a-Service) business model and the ecosystem supported by “Initial Access Brokers (IABs)” ¹⁹. IABs are specialists in the cybercrime economy. They do not carry out the final stages, like deploying ransomware or encrypting data. Their business focuses exclusively on infiltrating networks and selling that access ³⁵.

When IABs successfully infiltrate via VPN/RDP exploitation or phishing, they auction off access (e.g., VPN credentials or admin access to RDP servers) on the dark web ³⁶. Buyers are “affiliates” of major ransomware groups like LockBit or ALPHV/BlackCat ³⁹. This allows attackers without advanced intrusion skills to purchase access and execute ransomware attacks—provided they have the funds.

The rise of IABs has two critical implications for defenders. First, your organization’s security is constantly and passively tested by numerous financially motivated intrusion specialists—not just a single adversary. Second, the “shelf life” of risk caused by security flaws has dramatically lengthened. For example, an IAB may infiltrate in January, and the access might not be sold to a ransomware group until March ³⁹. This underscores the importance of proactive, always-on defense postures over reactive, after-the-fact incident response.

Chapter 3: Point of Entry – Why Legacy Authentication Is a Failed Defense

Why do tragedies like the Tokiha Group’s repeat? Fundamentally, because many organizations still rely on outdated authentication security. While attackers have evolved, the “front door lock” remains antiquated. Layering stopgap measures on top of a fragile base—passwords—offers little resistance against sophisticated attacks. Here, we explain technically why traditional methods—even basic MFA—are insufficient against modern threats.

The “Original Sin” of Passwords

The root of the problem is passwords—one form of “shared secret.” Authentication is established because both the user and the service share the same secret (the password). This architecture is fundamentally flawed because the secret can be stolen. Attackers can phish it ³⁰, guess it via brute force ⁴¹, reuse credentials leaked from other services ²⁴, and more. Once stolen, a password is no longer a secret; it becomes a master key for attackers.

The Limits of “Phishable MFA”

MFA (multi-factor authentication) emerged to compensate for password weaknesses. SMS one-time codes and TOTP codes generated by authenticator apps (e.g., Microsoft Authenticator, Google Authenticator) are widely used. By adding a “possession factor” (phone) to the “knowledge factor” (password), these drastically improve security over passwords alone.

However, these common MFAs are still bound by the “shared secret” paradigm. One-time codes are also temporary secrets exchanged between user and server—and they too can be stolen ⁴³. The technique that enables this is the Adversary-in-the-Middle (AiTM) attack, a sophisticated phishing method.

Mechanism of AiTM Attacks: Session Token Hijacking

Here’s how AiTM works ⁴⁴:

1. Reverse Proxy Setup: The attacker builds a fake login page (e.g., for Microsoft 365) on a reverse proxy server under their control, replicating the real site perfectly.

2. Luring the User: The attacker sends a phishing email that drives the user to the fake site, where the user believes it’s legitimate and enters their ID and password.

3. Relaying and Theft: The reverse proxy relays the credentials in real time to the genuine login page.

4. Relaying MFA Prompt: The genuine service prompts for MFA; the reverse proxy passes this prompt back to the user.

5. Bypassing MFA: The user submits the one-time code (or approves a push prompt); the reverse proxy relays it to the real service and completes authentication.

6. Session Hijack: Upon successful authentication, the genuine service issues a session cookie (the “pass” for staying logged in). The reverse proxy steals this cookie before returning it to the user ⁴⁷.

With the session cookie in hand, the attacker can access the account as the user—bypassing ID, password, and MFA ⁴⁴. Major ransomware groups like ALPHV/BlackCat have been observed using AiTM ⁴⁹.

This shows that the core vulnerability has shifted from static secrets (passwords, OTPs) to session tokens issued after successful authentication. The objective is not merely to pass the login moment but to hijack the valid session. Any method that can be proxied is, in principle, vulnerable to this.

Given this reality, how we evaluate MFA must change. The crucial question is not just combining “knowledge/possession/biometrics,” but whether the protocol itself is cryptographically resistant to interception and replay by intermediaries. Agencies like CISA rank FIDO/PKI-based authentication at the top tier, placing OTPs and push notifications below—reflecting differences at the protocol level ⁴³. Moving away from legacy authentication is no longer optional—it’s mandatory.

Chapter 4: A Paradigm Shift in Access Security – Phishing-Resistant MFA and the FIDO2 Standard

In response to the repeated bypass of traditional authentication by attacks like AiTM, a new “gold standard” is emerging: Phishing-Resistant MFA. This is not just an improved MFA—it’s a paradigm shift. Strongly recommended by agencies like CISA and NIST, it is realized through the FIDO2/WebAuthn standard ⁴³.

Definition of Phishing-Resistant MFA

As the name implies, it is authentication that is inherently resistant to phishing and man-in-the-middle (AiTM) attacks. The key is abandoning shared secrets. Instead of exchanging temporary secrets like SMS codes or TOTP, it uses cryptographic proofs that are useless if intercepted—making the authentication process itself robust ⁴³.

How FIDO2/WebAuthn Works: Public-Key Cryptography in Practice

FIDO2/WebAuthn (standardized by the FIDO Alliance and W3C) is the representative technology enabling phishing-resistant MFA. It is based on public-key cryptography ⁵³.

1. Registration: When a user registers their device (the “authenticator,” e.g., smartphone or a physical key like YubiKey) with a FIDO2-enabled website (the “relying party”), the authenticator generates a key pair—a private key and a public key—unique to that site ⁵⁶.

   • The private key is stored securely in the authenticator and never leaves it.

   • The public key is sent to the server and stored with the user’s account ⁵⁸.

2. Authentication: When logging in, the website sends a one-time challenge to the browser ⁵³.

3. Signing and Verification: The authenticator prompts the user for local verification (PIN, fingerprint, face). Upon success, it signs the challenge with the private key and returns it ⁵³. The website verifies the signature using the stored public key. If valid, the user is authenticated ⁵⁹.

Origin Binding: Rendering Phishing Powerless

FIDO2’s extraordinary anti-phishing power comes from origin binding ⁵⁵. The key pair created during registration is cryptographically bound to the site’s domain (origin).

For example, if the user registered their key with login.microsoft.com, the key pair is valid only for that origin. If the user is lured to microsoft-login.com, the browser detects that the current domain differs and will not allow the use of the login.microsoft.com key. The authenticator cannot sign, and authentication fails ⁶².

This also defeats AiTM. The attacker’s reverse proxy domain is different from the genuine site’s domain. Even if the user tries to authenticate on the fake site, origin binding blocks it; the attacker cannot obtain a valid signature. FIDO2 thus forces prevention at the protocol level, removing reliance on human judgment.

The Role of Hardware Authenticators

Physical security keys like YubiKey further strengthen this model ⁶⁶. These devices store private keys in tamper-resistant secure elements. Even if the user’s PC is infected with malware, stealing the private key is extremely difficult ⁶⁸. Because physical possession is required, they provide a very strong defense against remote attacks.

Comparing MFA Methods by Security Properties

Based on the analysis above, comparing the major MFA methods in terms of security attributes, it is clear which method is better.

Source: Analysis based on CISA and NIST guidance ⁴³

As shown, FIDO2/WebAuthn provides a distinct security level. It shifts the paradigm from “protecting shared secrets” to “not sharing secrets at all.”

Chapter 5: Implementing FIDO in Enterprise Systems – SOFTGIKEN’s FIDO Solutions

Even a powerful standard like FIDO2 must be integrated into complex enterprise IT environments to deliver value. SOFT GIKEN’s FIDO solutions provide concrete means to apply this advanced authentication in Windows environments. Here we focus on YubiOn FIDO Logon and YubiOn FIDO2 Server.

Strengthening PC Logon Security: YubiOn FIDO Logon

YubiOn FIDO Logon is software that strengthens logon to Windows PCs and Windows Server with FIDO2 authentication ¹⁰⁴. Its core function is to require two-factor authentication using a FIDO2-compliant physical authenticator (e.g., YubiKey) in addition to traditional passwords ¹⁰⁶. Even if a password leaks, logon is not possible without the physical authenticator—reducing unauthorized access risk.

Key characteristics:

• Deployable within Active Directory (AD) environments without changing existing AD settings ¹⁰⁷.

• Supports authentication for standard Windows Remote Desktop (RDP) connections—helpful against one of the main ransomware entry paths ¹⁰⁷.

• Can enforce 2FA only for specific admin accounts ¹⁰⁷ and supports a “FIDO logon enforcement” mode ¹⁰⁸.

• Available as a cloud-integrated edition and a standalone edition for closed networks without internet access ¹⁰⁶.

Adding FIDO to Web Services: YubiOn FIDO2 Server

YubiOn FIDO2 Server is a server product that allows enterprises to add FIDO2 authentication to their own web services and applications ¹¹⁰, enabling passwordless or multi-factor login for internal portals or customer-facing sites ¹¹⁰.

Key characteristics:

• FIDO Alliance–certified ¹¹².

• Available as a cloud service or an on-premises appliance ¹¹⁰ suitable for closed environments ¹¹⁰.

• By introducing FIDO2, the risk of credential theft through phishing is significantly reduced thanks to origin binding, which prevents authentication on fraudulent domains.

These solutions apply the FIDO2 standard to two concrete enterprise security challenges: access to PCs/servers and access to web services.

Chapter 6: Scenario Analysis – How FIDO Could Have Protected Tokiha Group

Based on the preceding analysis, we examine how SOFTGIKEN’s FIDO solutions might have stopped attacks like those impacting Tokiha Group, using concrete scenarios.

Scenario 1: Compromise of a Privileged Admin (Phishing/AiTM)

This scenario assumes that an IT administrator with significant powers within an organization is targeted.

Attack Path

1. Initial Entry: An IT admin receives a sophisticated phishing email impersonating Microsoft 365 and visits a fake login (AiTM reverse proxy).

2. Credential Theft: The admin enters username, password, and traditional MFA code at the fake site; the attacker steals a valid session cookie ⁴⁴.

3. Internal Access: Using stolen credentials/cookies, the attacker connects to the internal network via VPN or RDP ²².

4. Attack Execution: With admin privileges, the attacker laterally moves and deploys ransomware ⁷¹.

Defense with FIDO

1. Defense Point 1 – Web Access Blocked: If web services (e.g., Microsoft 365 or internal systems) were integrated with YubiOn FIDO2 Server and required FIDO2, the attack would likely fail here. Attempting to authenticate on a phishing domain would be blocked by origin binding, and the authenticator would not sign ⁵⁵. The attacker would not obtain a valid session cookie.

2. Defense Point 2 – PC/Server Logon Blocked: Even if the attacker somehow obtained only the admin’s password and tried RDP logon, YubiOn FIDO Logon would require the physical authenticator ¹⁰⁷. Without it, the attacker cannot log in.

Conclusion: FIDO provides multiple defensive layers: FIDO2 for web services prevents phishing-based theft, and hardware-enforced logon blocks unauthorized RDP access—even if a password leaks.

Scenario 2: Exploiting a Public Server (Brute Force/Misconfiguration)

This scenario assumes an attacker exploiting weak passwords on an internet-exposed server.

Attack Path

1. Recon & Entry: The attacker finds a publicly exposed RDP server and brute-forces a weak password to log in ²⁴.

2. Privilege Escalation & Lateral Movement: After entry, the attacker steals more credentials and expands activity inside the network ⁷¹.

3. Execution: The attacker seizes the domain and deploys ransomware.

Defense with FIDO

1. Reconnaissance and Password Breach: Up to the point where the attacker discovers a publicly exposed RDP server and succeeds in cracking the password, the scenario is the same.

2. Defensive Point: Blocking RDP Logon: 攻The attacker attempts to initiate an RDP connection using the stolen password. However, if “YubiOn FIDO Logon” is installed on the server and MFA is enforced, the login screen requires not only a password but also interaction with a physical authenticator ¹⁰⁷. Because the attacker does not possess the physical authenticator, they cannot complete the authentication process, and the intrusion attempt ultimately fails.

Conclusion: In this scenario, “YubiOn FIDO Logon” functions as the last line of defense. Even if the weak defensive layer of passwords is breached, the requirement to prove physical “possession” prevents the attacker from gaining access. This can effectively neutralize classical—but still highly effective—attack techniques such as brute‑force attacks.

These scenarios suggest that authentication solutions based on FIDO2 serve as defensive mechanisms at multiple critical stages in the attack chain and have the potential to significantly improve an organization’s security posture.

Chapter 7: Beyond Technology — Strengthening the “Human Firewall”

There is no doubt that advanced technologies like YubiOn can serve as a powerful barrier against cyberattacks. However, it is equally true that technical countermeasures alone cannot fully guarantee the security of an organization. In the chain of security, the most unpredictable element—and most frequently targeted—is always “people.” Building a “human firewall,” where all employees are security‑aware and function as the organization’s frontline defense, is an essential strategy that complements technological protections ⁷³.

The Concept of a Human Firewall

A human firewall refers to the idea that every individual within an organization plays a part in defending against cyber threats. Just as a technological firewall protects network boundaries, trained and vigilant employees can spot and report phishing emails, social engineering attempts, and other attacks that exploit human psychology ⁷³. Given that human factors contribute to many data breaches ⁷⁶, strengthening this “human line of defense” is critically important.

The Role of Security Awareness Training

Continuous security awareness training is a concrete method for building a human firewall. Effective training instills the following knowledge and skills:

• Threat Awareness: Employees learn specific attack techniques such as phishing, malware, and social engineering, and develop the ability to detect suspicious signs—unusual sender addresses, urgency‑inducing language, grammatical inconsistencies, etc ⁷⁸.

• Safe Behavior: Training fosters secure daily practices, such as creating and managing strong passwords, safe use of public Wi‑Fi, and compliance with internal policies for handling sensitive information.

• Security Culture: Through training, employees internalize the idea that security is not solely the responsibility of the IT department but a shared responsibility across the entire organization ⁷³.

Phishing Simulations: A Double‑Edged Sword

hishing simulations—sending fake phishing emails to employees—are widely used to measure and enhance awareness.

Research shows they can be effective: one study found that training reduced phishing vulnerability by 80% and produced an average ROI of 37× ⁸¹.

However, their use requires caution. Some large‑scale studies report that decreases in click‑through rates are minimal and that the effects fade over time ⁸². Frequent testing can cause “training fatigue,” lowering morale and reducing attention to real threats ⁸². Punishing employees for failure risks fostering a culture of concealment, which is counterproductive.

The Ultimate Goal: Not Perfect Behavior, but Fast Reporting

The true value of a human firewall is not in creating “perfect humans” who never click phishing links—an unrealistic expectation. Rather, it lies in establishing a culture where employees immediately report anything suspicious to the security team without hesitation ⁷⁴. Even false alarms provide valuable intelligence, and a single report can reveal the earliest signs of a large‑scale attack.

Here, an important synergy emerges between phishing‑resistant MFA and the human firewall. Strong technical measures like YubiOn function as a safety net. Even if an employee falls for phishing and enters credentials, the FIDO2 protocol acts as the last barrier, preventing access. Because technology minimizes the consequences of human error, organizations can safely conduct more realistic training—creating a positive security cycle that strengthens resilience.

Investment in the human firewall yields benefits beyond reducing clicks: faster incident response, compliance with regulations like GDPR/HIPAA, and stronger customer trust due to demonstrable security commitment ⁷⁸.

Chapter 8: Strategic Recommendations for Building a Resilient Enterprise

Drawing from the Tokiharu Group case and analysis of modern cyber threats, it is clear that deploying phishing‑resistant MFA is no longer merely “recommended”—it is mandatory. However, deploying a new authentication system across a large organization is not only a technical challenge but also a major organizational transformation. Below is a practical roadmap for implementing solutions like YubiOn successfully and constructing a truly resilient enterprise.

Adopting a Phased Deployment Approach

Rolling out a new authentication method to all employees at once may confuse and overload the help desk. A more realistic and effective approach is staged deployment, beginning with the highest‑risk segments ⁸⁶.

1. Phase 1: Protect High‑Risk Users: Priority should be given to accounts with the highest value and highest likelihood of being targeted: domain administrators, IT staff, executives, and finance personnel ⁸⁷. A compromise of these privileged accounts can be catastrophic, making them the first targets for phishing‑resistant MFA.

2. Phase 2: Fortify Remote Access: Next, protect VPN and RDP access for all users—major intrusion routes in modern ransomware campaigns ⁸⁹. This strengthens the “front door” of the organization and greatly reduces unauthorized access risk.

3. Phase 3: Secure Critical Applications: Apply phishing‑resistant MFA to critical cloud applications containing sensitive corporate or customer data—Microsoft 365, Salesforce, ERP platforms, and more ⁹⁰.

4. Phase 4: Organization‑Wide Rollout: Lastly, expand deployment to general employees. Lessons learned from earlier phases help streamline the organization‑wide implementation.

Planning for Full Lifecycle Management

Introducing security keys is not simply about distributing devices; a full lifecycle management plan—from registration to retirement—is essential ⁹¹.

• Onboarding and Registration: Establish simple and secure registration procedures. Prepare clear manuals, and consider using pre‑registration services like Yubico FIDO Pre‑reg to simplify onboarding, especially for new hires ⁹³. Best practice is to provide each user with two keys: a primary and a backup ⁹².

• Support and Troubleshooting: Train the help desk to handle common issues (forgotten PINs, browser compatibility issues, lost keys) ⁹⁵. A responsive support structure is crucial to the success of the project.

• Offboarding and Recovery: When employees leave or move roles, ensure their access rights are revoked and their keys recovered or destroyed according to policy ⁸⁶.

The Importance of Communication

Introducing new security measures imposes change on employees. A well‑crafted communication plan is essential to explain why the change is needed and how it protects both the company and employees ⁹⁹. Security upgrades should not simply be “announced”; organizations must promote understanding, highlight convenience benefits (e.g., fewer passwords), and gain employee cooperation for a smooth transition.

Integration into a Zero Trust Architecture

The implementation of phishing-resistant MFA should not be seen as an end goal in itself, but rather positioned as a foundational element within a broader “Zero Trust” security strategy ⁶². Zero Trust is a security model based on the principle of “Never Trust, Always Verify,” in which every access request—regardless of whether it originates inside or outside the corporate network—is treated as untrusted and subjected to strict authentication and authorization. Strong user authentication is one of the most critical pillars supporting the realization of this Zero Trust architecture.

These recommendations highlight the fact that deploying phishing-resistant MFA is not merely a technical upgrade, but a strategic initiative that involves project management, change management, and organizational cultural transformation. Paying attention to human and organizational factors—such as user education, communication, and help desk readiness—is just as important as choosing the right technologies, and is essential for the project’s success and for guiding the organization toward true resilience.

Chapter 9: Conclusion — From Reactive Defense to Proactive Resilience

The cyberattack that struck the Oita Tokiwa Group starkly revealed the severity of modern threats facing today’s enterprises and exposed the limitations of traditional security measures. This incident is no longer something that happens to “someone else”—it is a reality that any organization could face as soon as tomorrow. Our analysis shows that such disasters are not unpredictable acts of nature, but largely preventable man-made incidents caused by a chain of known vulnerabilities and well‑established attack techniques.

This report presented an effective approach to addressing this problem. First, we must face the reality of the threat. Ransomware attacks have evolved into complex disasters that undermine business continuity and cause large-scale data leaks. As IBM’s research indicates, the financial damage can reach hundreds of millions of yen, threatening the very survival of a company ¹¹. Attackers break through defenses using well-established methods: credential theft via phishing, and exploiting vulnerabilities in remote access infrastructure such as VPN or RDP.

Next, we must recognize the limits of traditional defenses. Security models that rely on passwords have already collapsed. Furthermore, even common forms of multi-factor authentication (MFA), such as SMS or authentication-app one-time passwords, can be neutralized by sophisticated techniques like AiTM attacks. These methods have a fundamental flaw—they cannot prevent attackers from hijacking the authenticated session itself.

And finally, we must understand the most important point: the solutions already exist and are operational today. Phishing-resistant MFA, recognized as the “gold standard” by global security authorities such as CISA and NIST, is the most effective technical answer to this problem. At its core, the FIDO2/WebAuthn standard uses public-key cryptography and origin binding to fundamentally prevent phishing and man‑in‑the‑middle attacks.

Solutions such as Soft Giken’s “YubiOn FIDO Logon” and “YubiOn FIDO2 Server” provide concrete options for applying FIDO2 to corporate Windows environments and web services. Protecting critical entry points—such as PC logon and RDP access—with physical keys and strengthening authentication for web services can dramatically increase the likelihood of blocking common attack vectors at the initial stage.

Of course, technology alone is not a silver bullet. Continuous employee education to build a “human firewall,” along with efforts to embed security awareness into organizational culture, are equally indispensable. However, it is ultimately the responsibility of management to assume that humans will make mistakes and to establish technical safety nets that prevent such mistakes from becoming catastrophic.

The enormous cost borne by the Tokiwa Group—months of operational disruption, leakage of hundreds of thousands of personal records, and incalculable damage to trust ⁸—far outweighs the investment required to deploy phishing-resistant MFA. The choice is clear: cling to outdated defenses and respond reactively to an inevitable crisis, or confront modern threats head‑on and invest in proven, highly effective protective measures to build proactive and genuine resilience. That decision is what determines the future of an enterprise.

References

1. Tokiwa Department Store. Regarding the Cyberattack Damage at Our Company. Accessed July 24, 2025. https://www.tokiwa-dept.co.jp/topics/details/360

2. Security News. All Tokiha Industry Stores Temporarily Closed on March 31 Due to Ransomware. Accessed July 24, 2025. https://rocket-boys.co.jp/security-measures-lab/tokihain-ransomware-closure-2025-03-31/

3. YouTube. Supermarket “Tokiha Industry” Expected to Resume Operations on April 1 — All Stores Closed Due to Cyberattack. Accessed July 24, 2025. https://www.youtube.com/watch?v=xbrCiNG9Ac4

4. Yahoo! Japan. Oita’s Tokiwa Hit by Cyberattack; Tokiha Industry Temporarily Closes All Stores. Accessed July 24, 2025. https://article.yahoo.co.jp/detail/fd558c0b19725df18f18a71ba7181c3166ae825c

5. note.com. Learning from the Cyberattack on Tokiha Industry: System Failures and Risk Management. Accessed July 24, 2025. https://note.com/smatec/n/n40cbd5784304

6. Security NEXT. Oita Supermarket Suffers Ransomware Attack — Temporary Closures but Reopens Next Day. Accessed July 24, 2025. https://www.security-next.com/168834

7. Cybersecurity.com. Unauthorized Access Causes Temporary Closure of All 23 Tokiha Industry Stores. Accessed July 24, 2025. https://cybersecurity-jp.com/news/109414

8. YouTube. Two Months After the Cyberattack: Tokiwa Group Still Unable to Process Credit Cards; Summer Gift Orders Delayed. Accessed July 24, 2025. https://www.youtube.com/watch?v=RoV31HzERGE

9. YouTube. Two Months After the Cyberattack: Some Tokiwa Group Stores Resume Credit Card and Point Card Services. Accessed July 24, 2025. https://www.youtube.com/watch?v=rmmLfYgVfjU

10. FNN Prime. Two Months After the Cyberattack: Partial Restoration of Credit Card Services at Tokiwa Group. Accessed July 24, 2025. https://www.fnn.jp/articles/-/888470

11. IBM Newsroom. IBM Report: Escalating Data Breach Disruption Pushes Costs to New Highs. Accessed July 24, 2025. https://newsroom.ibm.com/2024-07-30-ibm-report-escalating-data-breach-disruption-pushes-costs-to-new-highs

12. IBM Security. Cost of a Data Breach 2024. Accessed July 24, 2025. https://wp.table.media/wp-content/uploads/2024/07/30132828/Cost-of-a-Data-Breach-Report-2024.pdf

13. Pentera. Data Breach Costs: Key Drivers and Trends. Accessed July 24, 2025. https://pentera.io/blog/cost-of-data-breach/

14. IBM. Cost of a Data Breach 2024: Financial Industry. Accessed July 24, 2025. https://www.ibm.com/think/insights/cost-of-a-data-breach-2024-financial-industry

15. Embroker. How Much Does a Data Breach Cost in 2024? Accessed July 24, 2025. https://www.embroker.com/blog/cost-of-a-data-breach/

16. Griffiths & Armour. Data Breach Costs in 2024. Accessed July 24, 2025. https://www.griffithsandarmour.com/knowledge-centre/data-breach-costs-in-2024/

17. Security News. Ransomware Attack on Tokiha Industry May Have Exposed 420,000 Personal Records. Accessed July 24, 2025. https://rocket-boys.co.jp/security-measures-lab/oita-tokiha-industry-ransomware-attack-potential-personal-info-leak/

18. LANSCOPE. Six Major Infection Vectors of Ransomware. Accessed July 24, 2025. https://www.lanscope.jp/blogs/cyber_attack_cpdi_blog/20230403_29782/

19. Kaspersky. Ransomware Report 2024. Accessed July 24, 2025. https://securelist.com/state-of-ransomware-in-2025/116475/

20. Symantec Enterprise. Ransomware 2025: A Resilient and Persistent Threat. Accessed July 24, 2025. https://www.security.com/sites/default/files/2025-02/2025_02_Ransomware_2025.pdf

21. Security NEXT. Possible Customer Data Leakage from Ransomware Attack – Tokiwa Group. Accessed July 24, 2025. https://www.security-next.com/172651/2

22. Keeper Security. Why Are VPNs Targeted in Ransomware Attacks? Accessed July 24, 2025. https://www.keepersecurity.com/blog/ja/2024/07/29/why-are-vpns-targeted-in-ransomware-attacks/

23. Trend Micro. Security Risks Commonly Seen in Cyberattack Victims Using VPN. Accessed July 24, 2025. https://www.trendmicro.com/ja_jp/jp-security/23/d/securitytrend-20230426-02.html

24. NRI Secure. Increasing Attacks on VPN Devices: Case Studies & Analyst Recommendations. Accessed July 24, 2025. https://www.nri-secure.co.jp/blog/vpn

25. GMO Cybersecurity. Understanding VPN Security Risks and Necessary Countermeasures. Accessed July 24, 2025. https://gmo-cybersecurity.com/column/security-measures/vpn/

26. Surefire Cyber. Ransomware Threat Evolution Q1 2025. Accessed July 24, 2025. https://www.surefirecyber.com/ransomware-threat-evolution-q1-2025/

27. Mitani Corporation. Are Your Windows RDP Settings Properly Secured? Five Steps to Protect Against Attacks. Accessed July 24, 2025. https://si.mitani-corp.co.jp/cloudbox/windows-rdp

28. Enzoic. Insights from IBM’s 2024 Cost of a Data Breach Report. Accessed July 24, 2025. https://www.enzoic.com/blog/ibms-2024-cost-of-a-data-breach/

29. Hornetsecurity. Q3 2024 Ransomware Attacks Survey. Accessed July 24, 2025. https://www.hornetsecurity.com/en/blog/ransomware-attacks-survey-2024/

30. Kaspersky. How to Prevent Ransomware. Accessed July 24, 2025. https://www.kaspersky.co.jp/resource-center/threats/how-to-prevent-ransomware

31. Cloud Security Japan. Does Ransomware Spread Through Email? Accessed July 24, 2025. https://www.cloud-security.jp/blog/ransomware-transmitted-by-email

32. NEC Fielding. What Is a Phishing Email? Understanding Techniques and Countermeasures. Accessed July 24, 2025. https://www.fielding.co.jp/service/security/measures/column/column-11/

33. Spacelift. 50+ Ransomware Statistics for 2025. Accessed July 24, 2025. https://spacelift.io/blog/ransomware-statistics

34. Varonis. Ransomware Statistics, Data, Trends, and Facts 2024. Accessed July 24, 2025. https://www.varonis.com/blog/ransomware-statistics

35. Loginsoft. Initial Access Brokers: The Hidden Architects of Modern Cyberattacks. Accessed July 24, 2025. https://www.loginsoft.com/post/initial-access-brokers-the-hidden-architects-of-modern-cyberattacks

36. Cyberint. Initial Access Brokers Report. Accessed July 24, 2025. https://e.cyberint.com/hubfs/IAB%20Report%202025.pdf

37. Cyberint. Initial Access Brokers: The Hard Facts. Accessed July 24, 2025. https://cyberint.com/blog/other/initial-access-brokers-the-hard-facts/

38. SC Media. An Identity Defender’s Worst Nightmare? Initial Access Brokers and Why. Accessed July 24, 2025. https://www.scworld.com/news/an-identity-defenders-worst-nightmare-initial-access-brokers-and-here-is-why

39. Google Cloud / Mandiant. To HADES and Back: UNC2165 Shifts to LOCKBIT to Evade Sanctions. Accessed July 24, 2025. https://cloud.google.com/blog/topics/threat-intelligence/unc2165-shifts-to-evade-sanctions

40. Google Cloud. Ransomware Rebounds: Extortion Threat Surges in 2023; Attackers Rely on Public and Legitimate Tools. Accessed July 24, 2025. https://cloud.google.com/blog/topics/threat-intelligence/ransomware-attacks-surge-rely-on-public-legitimate-tools

41. C‑NTN. Ranking the Infection Routes of Ransomware. Accessed July 24, 2025. https://www.c-ntn.co.jp/knowledge/ransomware-routes/

42. NTT East. Remote Desktop Without Proper Countermeasures Is Dangerous — Full Security Guide. Accessed July 24, 2025. https://business.ntt-east.co.jp/content/cloudsolution/column-381.html

43. Implementing Phishing-Resistant MFA – CISA. Accessed July 24, 2025. https://www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf

44. Adversary-in-the-middle phishing - Datadog Security Labs. Accessed July 24, 2025. https://securitylabs.datadoghq.com/cloud-security-atlas/attacks/adversary-in-the-middle-phishing/

45. Bypassing MFA: The Rise of Adversary-in-the-Middle (AitM) Attacks - Swissbit. Accessed July 24, 2025. https://www.swissbit.com/en/blog/post/bypassing-mfa-the-rise-of-adversary-in-the-middle-aitm-attacks/

46. State-of-the-art phishing: MFA bypass - Cisco Talos Blog. Accessed July 24, 2025. https://blog.talosintelligence.com/state-of-the-art-phishing-mfa-bypass/

47. AiTM Phishing Attacks: Evolving Threat to Microsoft 365 – Proofpoint US. Accessed July 24, 2025. https://www.proofpoint.com/us/blog/email-and-cloud-threats/aitm-phishing-attacks-evolving-threat-microsoft-365

48. What Are Adversary-in-the-Middle (AiTM) Attacks? - ProWriters. Accessed July 24, 2025. https://prowritersins.com/cyber-insurance-blog/adversary-in-the-middle-aitm-phishing/

49. #StopRansomware: ALPHV Blackcat | CISA. Accessed July 24, 2025. https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-353a

50. Phishing-Resistant MFA vs. Standard MFA: What's the Difference? - Rublon. Accessed July 24, 2025. https://rublon.com/blog/phishing-resistant-mfa-vs-standard-mfa/

51. Multi-Factor Authentication – NIST. Accessed July 24, 2025. https://www.nist.gov/itl/smallbusinesscyber/guidance-topic/multi-factor-authentication

52. What Is Phishing-Resistant MFA and How Does it Work? - HYPR Blog. Accessed July 24, 2025. https://blog.hypr.com/what-is-phishing-resistant-mfa

53. About FIDO – YubiOn. Accessed July 24, 2025. https://www.yubion.com/fido?lang=en

54. What is FIDO2? How Does FIDO2 Authentication Work? - AuthX. Accessed July 24, 2025. https://www.authx.com/blog/what-is-fido2/

55. How FIDO2 works, a technical deep dive - Michael Waterman. Accessed July 24, 2025. https://michaelwaterman.nl/2025/04/02/how-fido2-works-a-technical-deep-dive/

56. What Is FIDO2 & How Does FIDO Authentication Work? - Descope. Accessed July 24, 2025. https://www.descope.com/learn/post/fido2

57. FIDO2: What It Is and How It Works - Frontegg. Accessed July 24, 2025. https://frontegg.com/blog/fido2

58. What Is FIDO2 and How Does It Work? FIDO Authentication Explained - Hideez. Accessed July 24, 2025. https://hideez.com/blogs/news/fido2-explained

59. What Is FIDO2? | Microsoft Security. Accessed July 24, 2025. https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2

60. FIDO Authentication with WebAuthn - Auth0. Accessed July 24, 2025. https://auth0.com/docs/secure/multi-factor-authentication/fido-authentication-with-webauthn

61. Implementing Phishing-Resistant MFA: Hands-On Developer Guide - SuperTokens. Accessed July 24, 2025. https://supertokens.com/blog/phishing-resistant-mfa

62. FIDO Universal 2nd Factor Authentication | U2F - Yubico. Accessed July 24, 2025. https://www.yubico.com/authentication-standards/fido-u2f-standard/

63. Let’s Talk About WebAuthn! – Medium (Samuelgbenga). Accessed July 24, 2025. https://medium.com/@samuelgbenga972/lets-talk-about-webauthn-f7118cfee3ab

64. Why Phishing-Resistant MFA Is The Future of Secure Authentication - Token Ring. Accessed July 24, 2025. https://www.tokenring.com/learn/phishing-resistant-mfa

65. What is Web Authentication? Definition and FAQs - Yubico. Accessed July 24, 2025. https://www.yubico.com/authentication-standards/webauthn/

66. Yubico - FIDO Alliance. Accessed July 24, 2025. https://fidoalliance.org/company/yubico/

67. YubiKeys: Two-Factor Authentication for Secure Login – Yubico. Accessed July 24, 2025. https://www.yubico.com/products/

68. YubiKey Technical Manual - Yubico Product Documentation. Accessed July 24, 2025. https://docs.yubico.com/hardware/yubikey/yk-tech-manual/webdocs.pdf

69. FIDO2: The Future of Passwordless Security with YubiKey and More - Authgear. Accessed July 24, 2025. https://www.authgear.com/post/fido2-the-future-of-passwordless-security-with-yubikey-and-more

70. More than a Password - CISA. Accessed July 24, 2025. https://www.cisa.gov/MFA

71. Mandiant Identifies UNC2165's Transition to Lockbit Ransomware - Anvilogic. Accessed July 24, 2025. https://www.anvilogic.com/threat-reports/mandiants-tracks-lockbit

72. Understanding LockBit Ransomware: TTPs and Behavioral Insights for Effective Defense - Logpoint. Accessed July 24, 2025. https://www.logpoint.com/wp-content/uploads/2023/07/etp-lockbit.pdf

73. What Is a Human Firewall? Meaning | Proofpoint US. Accessed July 24, 2025. https://www.proofpoint.com/us/threat-reference/human-firewall

74. What is a Human Firewall? Definition, Examples & More - StrongDM. Accessed July 24, 2025. https://www.strongdm.com/what-is/human-firewall

75. What is a Human Firewall? | NordLayer Learn. Accessed July 24, 2025. https://nordlayer.com/learn/firewall/human/

76. 2024 Data Breach Investigations Report - Verizon. Accessed July 24, 2025. https://www.verizon.com/business/resources/reports/dbir./

77. What is a Human Firewall? Examples, Strategies + Training Tips - Hoxhunt. Accessed July 24, 2025. https://hoxhunt.com/blog/human-firewall

78. Why is Cyber Security Awareness Training Important for Employees? | BD Emerson. Accessed July 24, 2025. https://www.bdemerson.com/article/why-is-cyber-security-awareness-training-important

79. Understanding the Importance of Cybersecurity Awareness Training - New Horizons - Blog. Accessed July 24, 2025. https://www.newhorizons.com/resources/blog/the-importance-of-cybersecurity-awareness-training

80. Ransomware Prevention - Mimecast. Accessed July 24, 2025. https://www.mimecast.com/content/ransomware-prevention/

81. Does phishing training work? Yes! Here's proof - CyberPilot. Accessed July 24, 2025. https://www.cyberpilot.io/cyberpilot-blog/does-phishing-training-work-yes-heres-proof

82. Phishing simulations: What works and what doesn't - Help Net Security. Accessed July 24, 2025. https://www.helpnetsecurity.com/2025/07/23/phishing-simulations-effectiveness-in-organizations/

83. Understanding the Efficacy of Phishing Training in Practice - Full-Time Faculty. Accessed July 24, 2025. https://people.cs.uchicago.edu/~grantho/papers/oakland2025_phishing-training.pdf

84. We Trained 3 Million Employees: How Effective Is Security Awareness Training? - Hoxhunt. Accessed July 24, 2025. https://hoxhunt.com/blog/how-effective-is-security-awareness-training

85. How To Build A Human Firewall In 5 Steps - CanIPhish. Accessed July 24, 2025. https://caniphish.com/blog/how-to-build-a-human-firewall

86. Best Practices for Deploying FIDO Security Keys - Thales CPL. Accessed July 24, 2025. https://cpl.thalesgroup.com/blog/access-management/deploying-fido-security-keys-best-practices

87. Enabling Phishing Resistant MFA for Admins: r/AZURE - Reddit. Accessed July 24, 2025. https://www.reddit.com/r/AZURE/comments/1lajvxj/enabling_phishing_resistant_mfa_for_admins/

88. Require phishing-resistant multifactor authentication for administrators - Learn Microsoft. Accessed July 24, 2025. https://learn.microsoft.com/en-us/entra/identity/conditional-access/policy-admin-phish-resistant-mfa

89. Multi-factor authentication's role in thwarting ransomware attacks - ESET. Accessed July 24, 2025. https://www.eset.com/us/about/newsroom/corporate-blog/multi-factor-authentications-role-in-thwarting-ransomware-attacks-1/

90. Get started with a phishing-resistant passwordless authentication deployment in Microsoft Entra ID. Accessed July 24, 2025. https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-plan-prerequisites-phishing-resistant-passwordless-authentication

91. Enterprise Adoption Best Practices | FIDO Alliance. Accessed July 24, 2025. https://fidoalliance.org/wp-content/uploads/Enterprise_Adoption_Best_Practices_Lifecycle_FIDO_Alliance.pdf

92. Accelerate YubiKey adoption at scale - The Kernel. Accessed July 24, 2025. https://thekernel.com/wp-content/uploads/2022/07/Yubico_Best__practices_guide_for_YubiKey_deployment.pdf

93. Yubico FIDO Pre-reg is here: What secure, fast passwordless onboarding and account recovery at scale means for your business and end users. Accessed July 24, 2025. https://www.yubico.com/blog/fido-pre-reg-is-here-what-secure-fast-passwordless-onboarding-and-account-recovery-at-scale-means-for-your-business-and-end-users/

94. FIDO2 Deployment in the Enterprise - AuthN by IDEE. Accessed July 24, 2025. https://www.getidee.com/blog/fido2-deployment-in-the-enterprise

95. Troubleshoot Passkeys and FIDO Security Keys - AWS Identity and Access Management. Accessed July 24, 2025. https://docs.aws.amazon.com/IAM//latest/UserGuide/troubleshoot_mfa-fido.html

96. Android known issues with FIDO2 - Yubico Support. Accessed July 24, 2025. https://support.yubico.com/hc/en-us/articles/17865198749852-Android-known-issues-with-FIDO2

97. Admin troubleshooting PIN support for FIDO2 WebAuthn - SecureAuth Product Docs. Accessed July 24, 2025. https://docs.secureauth.com/2104/en/admin-troubleshooting-pin-support-for-fido2-webauthn.html

98. FIDO2 troubleshooting - Yubico Support. Accessed July 24, 2025. https://support.yubico.com/hc/en-us/articles/12107415748764-FIDO2-troubleshooting

99. Free Download Multi-Factor Authentication Rollout Plan - Meegle. Accessed July 24, 2025. https://www.meegle.com/en_us/advanced-templates/implementation_roadmap/multi_factor_authentication_rollout_plan

100. Duo_End_User_Education_Com. Accessed July 24, 2025. https://duo.com/assets/pdf/Duo_End_User_Education_Communication_Templates.docx

101. 6 steps to effectively deploy MFA - IS Decisions. Accessed July 24, 2025. https://www.isdecisions.com/en/blog/mfa/6-must-dos-when-preparing-your-business-for-multi-factor-authentication

102. MFA Announcement to Organization (email template?) - Microsoft Community Hub. Accessed July 24, 2025. https://techcommunity.microsoft.com/discussions/identityauth/mfa-announcement-to-organization-email-template/171616

103. Secure, Safe, and Comfortable Authentication Solutions | YubiOn (Japan). Accessed July 24, 2025. https://www.yubion.com/

104. Soft Giken Releases “YubiOn FIDO Logon,” Enabling Passwordless Windows Logon. Accessed July 26, 2025. https://it.impress.co.jp/articles/-/21479

105. “Passkey” Support Added to YubiOn FIDO Logon Web Management Console. Accessed July 26, 2025. https://www.yubion.com/post/%E3%80%8C%E3%83%91%E3%82%B9%E3%82%AD%E3%83%BC%E3%80%8D%E5%AF%BE%E5%BF%9C%E3%80%81%E3%80%8Cyubion-fido-logon%E3%80%8Dweb%E7%AE%A1%E7%90%86%E3%82%B3%E3%83%B3%E3%82%BD%E3%83%BC%E3%83%AB%E3%81%AB

106. Strengthening PC Logon with YubiOn Windows Logon. Accessed July 26, 2025. https://www.yubion.com/windowslogon

107. The Definitive Multi‑Factor Authentication for PCs: “YubiOn FIDO Logon” Adds Support for Key Registration at the Logon Screen, Following Remote Desktop Support | Soft Giken. Accessed July 26, 2025. https://sgk.co.jp/news/20241212/

108. Passkey Login Supported for Remote Desktop Connections with the YubiOn FIDO Logon Service. Accessed July 26, 2025. https://www.dreamnews.jp/press/0000300456/

109. Passkey Login Supported for Remote Desktop Connections with the YubiOn FIDO Logon Service. Accessed July 26, 2025. https://www.yubion.com/post/20240701

110. YubiOn FIDO2 Server: Authentication Enhancement Service Available Without Infrastructure Setup. Accessed July 26, 2025. https://www.yubion.com/fido2-server

111. Launch of YubiOn FIDO Logon Cloud Service Supporting FIDO2 Authentication — Toward a Safer and More Convenient Society | Soft Giken Press Release. Accessed July 26, 2025. https://sgk.co.jp/news/20210512/

112. Secure, Safe, and Comfortable Authentication Solutions “YubiOn” – Keyman’s Net (IT product comparison & review site). Accessed July 26, 2025. https://kn.itmedia.co.jp/endsec/authc/product/30843/