Trusted Exchange of Student Data
Why Platforms and Tools Should Adopt LTI 1.3
Responding to Market Concerns about Student Data Privacy and Security
CIOs and their platform providers have security-related concerns about sensitive and personally identifiable information (PII) being passed between platforms and tools. Older security frameworks have demonstrated vulnerabilities. IMS Global Learning Consortium (IMS) members are leading the drive to improved student privacy and security by adopting an IMS-wide updated security framework. Beyond the privacy and security benefits, Learning Tools Interoperability® (LTI®) 1.3 has a simpler upgrade path than other versions and the full support and endorsement of major platform providers.
LTI 1.3 Has Better Security
Agile — Based on IMS Global’s adoption of the Internet Engineering Task Force (IETF) OAuth2 standard using private-public key pairs, to replace the unsupported OAuth 1.0a. Tools and platforms can leverage up-to-date OAuth2 libraries and common industry standard practices in their implementations, which accelerates their development.
Flexible — A modernized security model that is independent of the core spec, allowing for the evolution of security without driving change into the core. Likewise, core changes can evolve without impacting security.
Protected Launch — OAuth2 is an established industry model leveraging HTTPS (using TLS) encryption in place of the complex cryptographic signatures required in OAuth1. In addition, the enhanced IMS security model requires the use of JSON Web Tokens (JWT) for the OAuth2 message signing.
Mobile Ready — The model is independent of web browsers, a better solution for server-to-server, native desktop and mobile applications.
Scalable — OAuth2 scales better, supporting separate roles and servers for authorization versus resource servers handling API calls.
Robust — OAuth2 libraries are actively maintained and a strong community of use and stability.
A Simpler Upgrade Path
As a specification, LTI 1.3 is based upon LTI 1.1, the LTI version adopted by the vast majority of LTI implementations today, therefore LTI 1.3 is more compatible with LTI 1.1 services and messages and provides a simpler upgrade path for the most implementers.
More Secure than Custom, Non-LTI and older LTI Solutions
To achieve IMS Certification and to maintain compliance, each tool must recertify at least annually and this process verifies the proper operation of the security and the data transfer processes against a conformance specification. Tools and platforms that pass LTI 1.3 certification have demonstrated operational compliance with OAuth2 and JWT message signing protocols. Non-standard or older implementations of LTI that use proprietary security schemes or OAuth 1.0 variations have known risks or vulnerabilities requiring much deeper, time-consuming security evaluations. LTI 1.3 and LTI Advantage certification provides the piece of mind to administrative and security officers alike.
New Single-Registration Option
The updated security comes with a cost, as management of public/private keys can be an additional step for tool providers. This, however, is offset by the fact OAuth2 does not require special message signing and is a well-understood protocol in the market, the developer learning curve should be lower. And, it appears most platforms will be adopting LTI 1.3 in such a way that offer workflows to simplify processes for tools and for their users. For example, in many cases it will be possible for a tool to register once globally with a platform allowing implementers to adopt the tool without requiring additional communication with the tool provider; e.g. Tool X can register with an LMS once and users of the LMS will be able to easily find and adopt the tool without having to contact Tool X for keys or configuration information.
LTI Advantage is Based on LTI 1.3
IMS Global has announced LTI Advantage, a set of three LTI service extensions based on the LTI 1.3 core that make it easier for faculty to build, manage and offer courses with a premium user experience while providing world-class security. The current LTI Advantage extensions include:
- Assignment and Grade Services seamlessly syncs grades, progress and comments from multiple sources into an LMS platform’s gradebook, greatly reducing faculty effort and the chance of errors.
- Deep Linking supports a natural and efficient user workflow between a learning object repository or content tool and the LMS platform when developing courses and programs, again saving teachers’ time.
- Names and Role Provisioning Services securely shares course roster/enrollment information with the requesting tool to enhance users’ experiences and provide administrators a basis for who has used the tool and importantly, who has not.
Each of these extensions requires the new and improved security model available with LTI 1.3, laying the foundation for a better user experience. Please note, the availability of specific features is based solely upon the platform and tools in use. To get the best, most secure LTI experience always use IMS-certified products as published in the IMS Product Directory at imscert.org.