Authored by: Alexander Persaud, Senior Director, Implementation Services
At D2L, we strive to maintain open communication with our customers about the security of our products, including clear resources on security features, updates, and precautions or issues that may require customer action.
One of the key aspects of a secure system is to see that best-in-class authentication practices are in place.
Access to D2L Brightspace is available through a variety of authentication methods, including:
- Single Sign-On (SSO): a session and user authentication solution that permits a user to use one set of login credentials for multiple applications or services, including Brightspace.
- Local Authentication: the method of logging into Brightspace locally where the username and encrypted password are stored in Brightspace. Clients may set customizable password rules for Local Authentication.
Single Sign On (SSO)
SSO is a security practice that can help reduce password fatigue, centralize authentication, and can enhance control over access to D2L Brightspace, while helping to improve user experience and bolster security measures. Over 89% of Brightspace users are on environments with SSO configured.
The broad K-12 market has a high adoption rate of SSO. For example, the Clever Cybersecure 2024 survey of district leaders identified about 85% of K-12 school districts have adopted SSO.
Multi-Factor Authentication with SSO
Multi-Factor Authentication (MFA) can improve website security by requiring users to provide multiple forms of identification. This method of authentication can reduce the risk of unauthorized access through password vulnerabilities and common attack methods while also helping to enhance compliance and user awareness. Many Identity Providers (IdPs) support the configuration of MFA. As a result of being a recognized security best practice, the use of SSO with MFA is rapidly increasing within the K-12 market.
The use of SSO means that your users will have fewer passwords to remember, and can discourage password re-use across systems. For customers that do not have SSO configured, we recommend exploring the use of SSO as the next step in improving the authentication security of Brightspace.
For more information regarding D2L’s support for SSO, refer to the SAML Administration documentation.
Disabling Local Authentication for users leveraging SSO
If you are a customer that leverages SSO as your primary method of authentication, D2L recommends that you consider implementing the following security feature that is available for configuration within Brightspace.
Brightspace provides the capability to restrict the set of users that can leverage Local Authentication by role. Allowing a set of users to only authenticate via SSO can improve the security of Brightspace. This is accomplished by enabling the Disable Allowing Local Login permission. This permission immediately disables all users in the role from using Local Authentication. The use of this permission is recommended for all non-administrator roles that you expect to authenticate via SSO.
For additional details on how you can effectively use this feature, refer to the Disable local login topic.
Local Authentication
Local Authentication can be a necessary means of authentication for customers. When this authentication method is used, it is important that the appropriate security measures are put in place.
As a part of Local Authentication, you can introduce Two-Factor Authentication (2FA) for your administrative roles.
Two-Factor Authentication (2FA) for Administrators
Many customers that have SSO configured can also grant access for a select group of users to log in using Local Authentication. This is a common practice for Administrator accounts.
If you are a customer that allows Local Authentication for Administrator accounts, D2L recommends that you consider implementing the following security feature that is available for configuration within Brightspace.
2FA can improve website security by requiring users to provide a second form of identification. This can reduce the risk of unauthorized access through password vulnerabilities and common attack methods while also helping to enhance compliance and user awareness.
2FA is recommended for users with Administrator roles who are accessing Brightspace via Local Authentication, where a user has access to an internet-connected mobile device as a secondary form of identity. The mobile device is used to obtain a numeric security code, which the user enters into Brightspace as a secondary form of identification.
For additional details on how you can effectively use this feature, refer to the Create a list of authorized users and manage two-factor authentication (2FA) topic.
DISCLAIMER
The contents of this page were created with care and are provided for informational purposes only. D2L assumes no liability for the accuracy, completeness, and actuality of the content provided. It is important to note that cybersecurity threats are constantly evolving, and security requirements or best practices may change at any time. You are responsible at all times for choosing and implementing the measures that best suit your organization, user base, and risk profile.