Moodle Authentication Security with Peter Burnett.
Security – why it matters?
“Security of services on the internet is not optional,” stresses Catalyst IT Australia’s Project Manager and Software Developer, Peter Burnett.
“Intellectual property (IP) such as training materials and course design, as well as Personally Identifiable Information (PII) of users needs to be protected and it’s your organisation’s responsibility to do so.”
In his recent presentation at the Moodle Moot Global 2023 – The Nuts and Bolts of Moodle Authentication Security – Peter pointed out that while Identity Providers, also referred to as ‘IdPs’ (e.g. Active Directory, Okta, Auth 0), are the “gold standard for managing user identities across services”, it’s not always simple or even possible.
For example, you may have a corporate network with Moodle hosted outside of it, and the two systems not talking to each other.
In addition, using ‘IdPs’ requires know how. As organisations grow and mature they may struggle to oversee and respond to changing security needs.
“Keeping up with best practices for security is a never ending battle,” says Peter, “but the two key things to keep in mind when reviewing your security strategies are:
Knowledge = something you know = passwords; and
Possession = something you have = physical object or other software.
Two tips for passwords:
- Ensure your site is using a password policy and make it somewhat complex.
- You can use tool_passwordvalidator to check passwords against password breach collections.
“As for Possession, the most common usage is authenticator apps on smartphones, SMS verification codes and physical key chain tokens.”
“Our team found that existing Moodle plugins for two factor authentication were unable to cover all authentication mechanisms, so we developed tool_mfa which provides MFA verification separate from login. Having gained popularity among users, this will become a part of Moodle core from 4.3 version and onwards.”
“The levels of complexities are endless for MFA. Roles, networks and authorisation types provide a rich configuration matrix; and password policies can be matched to your organisational risk appetite.”
For some examples on how to configure MFA and recommended tools you can use with your tool_mfa for optimal protection, view Peter’s presentation recording from the Moodle Moot Global 2023 here.
Catalyst has been providing quality e-learning and Open Source solutions, customised to our clients individual needs for over 20 years. We specialise in software development and IT Managed Services designed for enterprise level and growing organisations. ISO27001 certified, we are trusted by major universities and colleges as well as Government and major organisations in the Health, Not-for-Profit and Commercial Sectors.
All our hosting clients enjoy 24/7 Follow the Sun support and high availability, flexible and secure cloud infrastructure so they can focus on what they do best – providing quality teaching and learning experiences for their users.