This FAQ is intended to be a resource for 1EdTech members looking to implement LTI™ Advantage. It supplements general information about the Learning Tools Interoperability (LTI)® standard and LTI Advantage by providing 1EdTech members with the latest updates and other important details needed to speed adoption. This FAQ also addresses a recently uncovered security threat and the actions taken to resolve it.
This FAQ will be revised and new information added as the status of LTI Advantage changes.
LTI Advantage Adoption and Certification FAQ
LTI Advantage Adoption and Certification FAQ
What is the current status of LTI Advantage?
LTI 1.3 and LTI Advantage are now available for public adoption and 1EdTech member certification.
When should my organization (or our suppliers) adopt and certify for LTI Advantage?
We recommend suppliers begin implementing now. The leading platform vendors are well along with their implementations and the same is true with many tool suppliers. The ability to move forward so quickly is made possible due to the fully-functional Reference Implementation, which can be used as a model and a testing proxy. 1EdTech continues to issue conformance certification for LTI 1.0 and 1.1. but, we strongly recommend that all suppliers move to LTI 1.3, which leverages the newly released 1EdTech Security Framework and is the required core for LTI Advantage.
Is LTI 1.3 backward compatible?
LTI 1.3 adopts the new 1EdTech Security Framework, which is based on the industry-standard protocol IETF OAuth 2.0 for authentication services along with JSON Web Tokens (JWT) for secure message signing and the Open ID Connect workflow paradigm. LTI 1.3 and the 1EdTech Security Framework do not support backward compatibility.
Review the LTI 1.3 Migration Guide to understand the differences and strategies for integrating LTI 1.1 and 1.3 systems at https://www.imsglobal.org/spec/lti/v1p3/migr.
Once you've implemented LTI 1.3, certification testing is available at https://www.imsglobal.org/lti-advantage-certification-suite.
What is Cross-Site Request Forgery threat and why is it a low-probability of occurrence for LTI?
During the Candidate Final adoption phase of the 1EdTech Security Framework and LTI 1.3 (required core for LTI Advantage) a proposal was brought forward to add another layer of security to address a low-probability threat related to the prevention of phishing—also known on the open web as Cross-Site Request Forgery. The recommendation to incorporate forgery-prevention into the LTI 1.3 standard was accepted by the LTI Advantage Product Steering Committee as a solution that would provide long-term benefits to both suppliers and institutions.
There have not been any reported cases of the Cross-Site Request Forgery threat in the use of LTI and it is important to note that these types of threats are not specific to LTI but exist for anyone on the web. However, 1EdTech is pleased that LTI can offer a solution through its updated LTI Advantage. The risk is considered low because a potential perpetrator of a forgery attempt must first be logged in as a valid user in a learning platform, then execute tasks requiring significant technical skills and finally entice another user to click a provided link. It is technically possible, but a very low probability. In any event, the protective solution—once finalized—will provide even greater support for our goal of making LTI Advantage the most secure edtech integration option available.
What impact does a Cross-Site Request Forgery have on earlier versions of LTI?
The potential for Cross-Site Request Forgery exists for anyone on the open web. Importantly, there have not been any reported instances of a Cross-Site Request Forgery event with LTI, however, 1EdTech chooses to emphasize caution in matters of security and data privacy. It remains our recommendation that suppliers move to LTI 1.3 to assure they are utilizing the most secure edtech integration available. LTI Advantage requires LTI 1.3 as the core. LTI Advantage is not backward compatible with earlier versions of LTI.
For organizations that decide not to upgrade LTI versions, 1EdTech is providing a security update for selected legacy versions of LTI. These updated specifications, along with implementation guidance and 1EdTech certification, are designated as 1.0.1 and 1.1.2 and are planned to be available for certification through mid-year 2022. After that time, LTI 1.3 and its successor will be the minimum versions eligible for 1EdTech certification. The LTI Security Update patch document for LTI versions 1.0.1 and 1.1.2 is now available.
Read the complete LTI Security Update and Deprecation Schedule (July 2019) announcement for more information.
Related Resources
PUBLIC RESOURCES
NEW LTI Roundtables
LTI Advantage Certified Products
LTI Advantage Developer Resources
Why Platforms and Tools Should Adopt LTI 1.3
LTI Security Update and Deprecation Schedule (updated March 2020)