John Arthur Berg, Data Protection Officer (DPO), itslearning.
This post may not win me friends among my colleagues, customers or our industry in general, but it is true nonetheless; simple authentication–like a username and password–is not secure enough for protecting important personal data in today’s world.
The more security-minded of us may have turned on so called “multi-factor authentication” (MFA*1) on our Facebook, Dropbox, Gmail or LinkedIn accounts. Yet most of the companies and customers in our industry seem happy to stick to a simple username and password to protect the often vast amount of important personal data that is found in learning platforms, assessment platforms, student information systems and content platforms.
“Yes, but does GDPR require us to use MFA?”, you might ask. Simple question–complex answer.
Perhaps the most important joint responsibility between a data controller (say a school owner) and a data processor (like itslearning) is to ensure appropriate technical and organisational security. What is appropriate depends on the consequence for a data subject if his or her data is lost or stolen. Or in other words; what is appropriate depends on how worthy of protection the data you process is.
So I will not say as a general rule of thumb that GDPR would require MFA for educational platforms. I will let two organisations with a lot more authority on the subject do it for me:
1. “It is our opinion that staff access to an LMS requires a stronger authentication mechanism than username and password”. (From the Norwegian supervising authority guidelines for learning management platforms.*2)
2. “Educational authorities and e-learning platform providers and manufacturers are called upon to […] allow for, and require, the use of a multi-factor authentication mechanism for administrators and educators to log in to the platform to prevent misuse through stolen passwords.” (Resolution on e-learning platforms from the 40th International Conference of Data Protection & Privacy Commissioners.*3)
Many have held the view that unless the data is “sensitive” (or as GDPR calls it; “special categories” of personal data), it is not necessary to protect with a stronger authentication mechanism. This is an oversimplification; categorisation of data is not always correlated with how important it is to protect it. If you gained access to a teacher’s account in an administrative system, you could have access to dozens of students’ assessments, home addresses, parents’ details and contact information. This is every bit as important to protect as a message from your doctor on how to deal with your insomnia.
Yes, there will be exceptions. If you only use your platform for sharing a PowerPoint with your students, “weak” security might still be enough (at least if very little student data is available through the system). If you have other layers of security (private networks, IP-restrictions, etc.) you might be off the hook. But unless you conduct and pass a careful risk-assessment, your default approach should be MFA.
itslearning is now rolling out a built-in MFA feature and will be requiring some types of users to enable it. It will eventually be available for customers to implement for any user role. But many commercial platforms like itslearning have been reluctant to come up with solutions like this, and not without good reason.
Firstly, features not required (or desired) by customers rarely make it to the top of a roadmap. (It can be quite ironic; many customers require “back-end” security measures at the same level as banks or hospitals but do not connect the dots to end-user access.) Secondly, for most organisations using an e-learning platform, authentication is handled in a separate system, provided internally or from a different vendor. For example, in Norway virtually every teacher uses “Feide” (a national federated identity provider).
Thirdly and most importantly, everyone is concerned about implementation and the impact this has on adoption of a platform. While the aforementioned “Feide” has had support for MFA since 2015, uptake has been slow. Hurdles can include negotiating with teachers who don´t want to use their private mobile phones for work purposes without compensation (SMS or authenticator apps are probably the cheapest way to get an acceptable MFA solution up and running). There is also a real fear that MFA would provide an extra hurdle, driving teachers to back textbooks instead of digital platforms.
But we have to accept that the world has changed, and that “appropriate” security is not static–it changes as we rely more on technology, and as threat levels increase. A simple password standing in the way of your students’ personal data being available to anyone in the world just isn´t enough.
So if you are responsible for an e-learning system, you should start to assess your options for MFA (itslearning or any other system that can offer this) and carefully build an implementation and rollout plan that doesn´t end up impacting technology adoption.
[*1] MFA might sound very complicated, but it is really quite simple. It is about confirming your identify in multiple ways, most commonly combining something only you know (like a password) with something only you have (like a one-time code from a code-generator or a text message).