Responding to Market Concerns about the Trusted Exchange of Student Data
CIOs and platform providers have security-related concerns about sensitive and personally identifiable information (PII) being passed between platforms and tools. Older security frameworks have demonstrated vulnerabilities. 1EdTech Consortium members—over 880 leading school districts, higher education institutions, states, and edtech solution providers—are leading efforts to improve student privacy and security by adopting the new 1EdTech Security Framework.
Learning Tools Interoperability® (LTI®) 1.3 and LTI Advantage are the first 1EdTech standards to leverage the new security model. Beyond the privacy and security benefits, LTI 1.3 has a more straightforward upgrade path than other versions. It also has the full support and endorsement of major platform providers.
See the digital teaching and learning tools and platforms certified for LTI 1.3 in the TrustEd Apps Directory.
LTI 1.3 Has Better Security
The 1EdTech Security Framework adopts the industry standard protocol IETF OAuth 2.0 for authentication services along with JSON Web Tokens (JWT) for secure message signing and adopts the Open ID Connect workflow paradigm.
- Agile—Tools and platforms can leverage up-to-date OAuth 2.0 libraries and common industry standard practices in their implementations, which accelerates their development.
- Flexible—A modernized security model that is independent of the core spec, allowing for the evolution of security without driving change into the core. Likewise, core changes can evolve without impacting security.
- Protected Launch—OAuth 2.0 is an established industry model leveraging HTTPS (using TLS) encryption in place of the complex cryptographic signatures required in OAuth 1.0.
- Mobile Ready—The model is independent of web browsers, a better solution for server-to-server, native desktop and mobile applications.
- Scalable—OAuth 2.0 scales better, supporting separate roles and servers for authorization versus resource servers handling API calls.
- Robust—OAuth 2.0 libraries are actively maintained and have a strong community of use and stability.
A Simpler Upgrade Path
As a specification, LTI 1.3 is based upon LTI 1.1, the LTI version adopted by the vast majority of LTI implementations today; therefore, LTI 1.3 is more compatible with LTI 1.1 services and messages and provides a simpler upgrade path for most implementers.
More Secure than Custom, Non-LTI, and Early LTI Versions
To achieve 1EdTech certification and maintain compliance, each tool must recertify annually. This process verifies the proper operation of the security and the data transfer processes against a conformance specification. Tools and platforms that pass LTI 1.3 certification have demonstrated operational compliance with OAuth 2.0 and JWT message signing protocols. Non-standard or older implementations of LTI that use proprietary security schemes or OAuth 1.0 variations have known risks or vulnerabilities requiring much deeper, time-consuming security evaluations. LTI 1.3 and LTI Advantage certification provides peace of mind to administrative and security officers alike.
New Single-Registration Option
The updated security comes with a cost, as management of public/private keys can be an additional step for tool providers. However, this is offset by the fact that OAuth 2.0 does not require special message signing and is a well-understood protocol in the market, so the developer learning curve should be lower. And, it appears most platforms will be adopting LTI 1.3 in such a way that offers workflows to simplify processes for tools and for their users. For example, in many cases, it will be possible for a tool to register once globally with a platform allowing implementers to adopt the tool without requiring additional communication with the tool provider; e.g., Tool X can register with an LMS once, and users of the LMS will be able to easily find and adopt the tool without having to contact Tool X for keys or configuration information.
LTI Advantage is Based on LTI 1.3
LTI Advantage is a set of three LTI services based on the core LTI 1.3 specification that makes it easier for faculty to build, manage, and offer courses with a premium user experience while providing world-class security. The availability of specific features is based solely on the platform and tools in use. The current LTI Advantage services include:
- Assignment and Grade Services seamlessly syncs grades, progress, and comments from multiple sources into an LMS platform’s gradebook, greatly reducing faculty effort and the chance of errors.
- Deep Linking supports a natural and efficient user workflow between a learning object repository or content tool and the LMS platform when developing courses and programs, again saving teachers’ time.
- Names and Role Provisioning Services securely shares course roster/enrollment information with the requesting tool to enhance users’ experiences and provide administrators a basis for who has used the tool and, importantly, who has not.
Each of these services requires the new and improved security model available with LTI 1.3, enabling the foundation for a better, more secure user experience.