LTI 1.1 vs 1.3: Which Version is Right for Your Learning Platform?

What are LTI 1.1 and LTI 1.3?

LTI 1.1

LTI 1.1 was launched by 1EdTech in 2012 as an extension of the original LTI specifications. At the time, this version made it possible for the first time to integrate external tools, like quiz modules, e-learning, and other learning resources, into learning environments (LMS) through a standard single sign-on (SSO). This gave users direct access to these tools without multiple logins. LTI 1.1 enabled basic data transfer and was mainly introduced to save time and effort in integrating various tools within a single learning environment.

LTI 1.3

LTI 1.3, launched in 2019, was developed in response to growing demands for security and data management within educational environments. As technology and e-learning usage rapidly evolved, stronger authentication protocols were also needed. LTI 1.3 integrated OAuth2 and OpenID Connect, providing a much more robust and secure authentication process. This allowed platforms to offer not only more secure integrations but also more possibilities for data exchange and linkages between tools and content within platforms.

Why Are LTI 1.1 and LTI 1.3 Important?

Both versions were developed to simplify interoperability between learning platforms and educational tools. This was necessary because learning environments were increasingly utilizing a wide range of applications, such as simulation tools, assessments, interactive modules, and more. The standardization of LTI made it easy to integrate all these applications, saving schools and developers time and money.

With LTI 1.3, there’s an added emphasis on data security and flexible integration options, making this version essential for modern learning platforms where privacy and usability are paramount.

The Features of LTI 1.1 and 1.3

LTI 1.1

LTI 1.1 was launched as a basic protocol enabling user authentication and basic data transfer. Some of its key features include:

• Security: LTI 1.1 primarily uses OAuth 1.0a for security, a protocol for authorization. While OAuth 1.0a offers some level of security, it has limitations and is considered less secure than newer standards.
• Data Exchange: In LTI 1.1, when a learning tool is launched from an LMS, it contains basic information about the user, course, and user role. This data is transferred through HTTP request parameters.
• Extensions: LTI 1.1 introduced extensions that enabled additional services, such as sending grades back to the LMS.

LTI 1.3

LTI 1.3 is an enhanced version of 1.1, particularly in terms of security, flexibility, and data exchange. Its main improvements include:

• Security: LTI 1.3 introduced significant security improvements, utilizing OAuth 2.0 and JSON Web Tokens (JWT), which are more secure and modern standards for authorization. This change addresses the security concerns users of version 1.1 had.
• Data Exchange: LTI 1.3 uses a more structured and secure approach for data exchange. Information about the user, course, and role is encapsulated in a JWT, a compact, URL-safe way to represent claims that must be transferred between two parties.
• Extensions and Services: LTI 1.3 introduces a more robust way to extend functionality, supporting LTI Advantage, which includes services such as Deep Linking (for content integration), Names and Role Provisioning (for retrieving information about users in a course), and Assignment and Grade Services (for synchronizing grades and assignment data with the LMS).
• Interoperability and Flexibility: LTI 1.3 is designed to be more flexible and interoperable, making it easier for different tools and platforms to work together seamlessly.
• Future-Proofing: By adopting OAuth 2.0 and JWT, LTI 1.3 aligns with current industry standards, ensuring better compatibility with future technologies and security practices.

LTI 1.1 vs. 1.3: Differences in Security

The primary difference between the two LTI versions lies in the enhanced security capabilities of LTI 1.3, which manifest in several areas.

1. Security Level and Authentication Protocol

• LTI 1.1 (OAuth 1.0a): LTI 1.1 uses OAuth 1.0a, which is limited in security options and does not support more modern authentication and authorization mechanisms. OAuth 1.0a relies on a complex "signing" process that can be error-prone and offers less protection against "man-in-the-middle" attacks.
• LTI 1.3 (OAuth2 + OpenID Connect): LTI 1.3 provides greatly improved security by using OAuth2 alongside OpenID Connect. OAuth2 simplifies implementation, enhances security with better encryption, and enables robust access tokens. OpenID Connect adds an additional authentication layer, verifying user identity and protecting against forgery.

2. User Authentication and Session Management

• LTI 1.1: LTI 1.1 has limited support for user authentication and lacks session management features, making it challenging for platforms and tools to exchange detailed information about user sessions, restricting the ability to manage user identity and permissions within an LMS.
• LTI 1.3: LTI 1.3 leverages OpenID Connect, enabling user authentication based on standardized identity claims. This provides more control and reliability in managing user identity and sessions, which is valuable for LMSs that want detailed access to user permissions and authorizations.

3. Data Exchange and Flexibility

• LTI 1.1: In LTI 1.1, data exchange is limited to basic information about the user and the course, making it harder to share extensive and complex data between an LMS and external tools, which limits flexibility.
• LTI 1.3: LTI 1.3 offers extensive data exchange capabilities, greatly improving communication and flexibility between LMSs and tools. This is thanks to new deep linking options, allowing content and resources to be dynamically linked and managed.

4. Scalability and Maintainability

• LTI 1.1: The limited, outdated protocol in LTI 1.1 makes it less scalable for large or complex LMS environments, as it’s challenging to securely scale connections and integrations.
• LTI 1.3: With new standard protocols, LTI 1.3 is more scalable and easier to maintain. OAuth2 and OpenID Connect make integrations future-proof, simpler to implement, and safer on a larger scale.

These improvements in LTI 1.3 make this version ideal for learning environments that need robust, scalable, and secure integrations, while LTI 1.1 remains a basic option for simpler, less critical applications.

LTI 1.1 vs LTI 1.3: Which Version Should I Use?

While LTI 1.1 is still supported, LTI 1.3 is the logical choice for platforms that require stronger security and flexibility. Platforms with straightforward integration needs and less emphasis on extensive data can continue using LTI 1.1 without issues.