Every educational institution offers its services to individuals willing to improve their knowledge in a particular area of study and obtain an appropriate degree. Only enlisted and subscribed participants can visit the lectures and other activities. The same can be applied to Moodle. We want to make sure that the only people using the platform are the ones who should be using it in the first place. Therefore in this chapter we will cover the following topics:
- Basics of authentication
- Common authentication attacks and prevention methods
- Authentication types in Moodle and security tips
Authentication is the process of confirming that something or someone is really who they claim to be. The ways in which someone may be authenticated fall into three categories, based on what are known as the factors of authentication:
- Knowledge (something you know): password, PIN code, etc.
- Ownership (something you have): security token, phone, etc.
- Inherence (something you are): fingerprint, signature, various biometric identifiers
Following the path of most computer systems, Moodle offers basic authentication based on a knowledge factor. This means that in order to operate in Moodle any person must have a user account.
A user account consists of a username, password, and other personal information. Both username and password are used to authenticate a person who wishes to access the platform. Based on the outcome of an authentication, a user will be given or declined access to the platform. The authentication is performed (usually) by comparing provided data from the person trying to access the platform with the data located in the Authoritative Data Source (of user identity). Moodle supports 13 different types of authentication and this actually means that it has support for consulting 13 different types of Authoritative Data Sources.
Note
An Authoritative Data Source is a recognized or official data production source with a designated mission statement or source/product to publish reliable and accurate data for subsequent use by users or by other computer programs.
Logon in Moodle is implemented using a HTML form that submits supplied data over HTTP or HTTPS to the server where it is being processed.
Note
Hypertext Transfer Protocol (HTTP) is a networking protocol used for transferring and rendering content on the World Wide Web. HTTP Secure (HTTPS) is a combination of a HTTP protocol and SSL/TLS (Security Socket Layer/ Transport Layer Security) protocol that offers encrypted and thus secures communication and identification between two computers on the Internet. HTTPS connections are often used for payments transactions and other sensitive information's transfer.
The user enters his assigned credentials into the supplied fields on the login form and presses Login. That sends data to Moodle for processing.