Authentication in E-learning systems: Challenges and Solutions

Digitization is gradually penetrating all aspects of modern society. As it changes the way people communicate, technology has revolutionized education and training in the 21st century. With the advantages of reasonable costs and flexible study time, online training is increasingly seen as an attractive alternative to the full-time on-campus training model. To assure quality of distance training and learning, it is crucial for the online learning management system to make sure the person accessing the course resources and performing learning activities is actually enrolled in the course. One of the important factors determining the security of this process is user authentication. In most cases, this role is done with a password, but the evidence shows that this method is easily compromised. While there are many alternatives available such as biometric methods, user-challenging methods, smart card methods, etc. The strong development of technology that requires confidentiality and authentication must be tightly coupled. A qualitative survey of user authentication systems is being used in today's E-learning systems and a comparative study of various different authentication mechanisms presented in this paper. There are many methods of user authentication foronlinelearningsystems, buteachmethodwillhavedifferentadvantagesanddisadvantagesand has not completely solved the challenges of user authentication. The issue of user authentication still has many challenges that need to be solved thoroughly to improve the security of the system as well as the trust of users and society. This paper provides an overview of our approach and recommendations to address the mentioned issues. In addition, we propose a number of feasible approaches to improve user data privacy as well as improve the effectiveness of the authentication process in the online learning system.


INTRODUCTION
Many top universities in the world have launched online courses up to master level such as the Massachusetts Institute of Technology, Harvard University and the University of Pennsylvania. By collaborating with online training platforms such as Coursera and edX, these institutions have opened entirely remote courses via the Internet. The distance learning process is facilitated by an online learning management system (also known as distance learning or e-learning system). This is a set of software applications that manage the teaching and learning process and the examination procedures 1 . With no more than an Internet-connected computer, a student can access lectures, books and other learning materials, ask questions, submit assignments, and take graded tests just like with traditional learning methods. Originally, the e-learning management system was simply a piece of software that enabled a user to do different things online, including playing lecture video clips and participating in discussion forums. With the current needs, however, the online learning management system has grown into an independent educational environment 2 . Students no longer have to go to lecture halls to meet their instructors; instead, they can interact via the Internet. Some online learning platforms even allow the students to remotely take exams or go through the admission procedure without visiting the campus. This online learning method requires learners to be proactive in their work. To assure quality of distance training and learning, it is crucial for the online learning management system to make sure the person accessing the course resources and performing learning activities is actually enrolled in the course. From the point of view of computer science, the point is to identify and reference a person in the real world as a user in the system. The entity in the system or the user identifier is represented by access to a computer location or resource 2 . In an online learning management system, it is the right to access learning materials, interact with instructors and peers, submit assignments, and take exams. The management of user identification and authentication is among the challenges facing security researchers. The remainder of this article is divided into five sections. In the next one, we present some security challenges facing online learning systems, analyzing the security elements and risks when authenticating based on user attributes. The following section provides an overview of our approach and recommendations to address the mentioned issues. The overall architecture and assessment will follow after that. The final section summarizes our key findings and proposes future research directions.

CHALLENGES OF USER AUTHENTICATION IN E-LEARNING SYSTEMS
For online training systems to continue growing and be accepted as an official form of training free of discrimination, security issues must be thoroughly addressed 3 . The system must demonstrate its reliability and win the trust of users and the society regarding its quality of training and transparency, especially in online tests. One prominent challenge is how to know if a student's performance in the system is indeed his or hers. In traditional training, academic records including transcripts and examination results are stored and managed via written documents. Today, both online and offline training systems employ digital records, and digital data seem more likely to be erased or altered than are physical data 4 . Therefore, it is imperative for students' online learning results to be stored and processed in a clear, objective and transparent manner. Let's have a closer look at this challenge via two common security issues: identity misuse and integrity of students' academic results.

Identity misuse
A student's identity in the system is used by another person. Possible causes: the student actively sharing the account or the account being attacked. Two testing-related scenarios could take place as follows: • The online test is conducted in a controlled environment, on a university's premise for instance. This is common in most of today's educational institutions. Students study remotely on the elearning platform, then when the time comes for term-end exams, they come to the institution's campus to take the test, which is usually hosted online. Before entering the examination room, students present their student identification (ID) card to the examination officer for identity verification. When the number of students is large, this process is laborious and sometimes impractical. It is also open to error as the officer may be unable to determine if the ID card holder is its legitimate owner.
• The online test is conducted in an uncontrolled environment, off campus where educational institutions do not have any control over student identity. This is a typical situation for most online learning platforms. It is then the learning management system's job to ensure the testtaker is a legitimate registrant on the system.
In the two cases above, the objectivity and reliability of the E-learning system, particularly of online testing, depends on its ability to ensure testing results are free from cheating, involuntary or voluntary tampering, and impersonation. This challenge pertains to authenticating test-takers, online or offline. When applying the right authentication mechanism, the educational institution can rest assured that student identity is in good check both before and during the test.

Integrity of students' academic results
This aspect concerns the storing and handling of students' academic results 4 . This is particularly vital if the outcomes of distance learning are to be seen as equal to traditional training outcomes. Traditionally, student results are kept and maintained in paper records. In online learning, these records are stored digitally, often in databases. Undesirable data alterations happen when an intruder attacks the system, acquires unauthorized access to the record database, and modifies test results and transcripts. On the other hand, it is expected for users to perceive these (digital) data not as "real" (as written data) and open to modifications and deletion. In these cases, the challenge is to ensure data integrity and guarantee the transparency of students' learning results.

REVIEW OF EXISTING AUTHENTICATION METHODS D/Password-Based Authentication
User ID/Password is one of the most common authentication mechanisms used in online systems. Regardless of user type and user role, each user has a unique identifier to distinguish it from other users. Usually in the authentication process, the user ID is used along with the password. Users must provide both login information correctly to gain access to the system or application. This ID is used to assign permissions, monitor user activity and manage common activities on a specific system, network or application. Like other information systems, E-learning systems often use user ID and password as the main authentication mechanism. Regarding passwords, people often choose a password that is easy and intuitive; Today people have to have different passwords to be authorized in many different systems. There-fore, these passwords are often similar and not complicated enough. The registration number or date of birth is used 5 as well as the name and they have a habit of writing them on paper or some other place. To create a good password some rules must be followed (avoid personal names, use special characters, use capital letters, etc.). Passwords generated by following rules are not intuitive and not easy to remember so users can forget their passwords. With the known risks of the authentication system through accounts and passwords such as disclosure, theft or users actively share this account with others to attend school instead. E-learning systems have used other methods to authenticate user identifiers.

Biometric-Based Authentication
Authentication based on biometrics or characteristics is done by verifying the physical or behavioral characteristics of an individual 6 . Biometrics frees users from having to memorize passwords or carry them, because users themselves are locked to identify 7 . Several biometric authentication features have been developed in recent studies and implemented in online learning systems including: fingerprint recognition 8 , iris identification, face recognition 9,10 , identification audio or combining these features in multimodal biometrics 5,11-17 .

Behavior-Based Authentication
The behavior-based authentication uses devices such as smartphones, smartwatches or other IoT devices. All of these devices offer a wide range of sensors that can detect different kinds of user behavior. The user behavior outcomes are processed and consolidated into a single value called the trust level. This trust level is sent to web services instead of passwords, the web service determines which trust threshold is needed to access their service or what features are available 18,19 .

User authentication by challenge questions
Based on the assumption that only the user knows his personal information and his past activities, the user attributes-based authentication model challenges the user with a set of security questions. These questions are generated based on user attributes, behavior, and past activities 20 . Only by passing these questions can a user prove that he is an entity with the corresponding attributes in the system. Challenge questions are created by extracting personal information such as social security number, day of birth, place of birth, student ID number. This information is managed based on the authentication system. A user profile includes user-specific information that is sensitive. This record is typically stored at the verifier and then used to verify their verification request 21 .
Based on these conventional authentication methods, various instants for solving the authentication challenges have been studied and proposed. These approaches can be divided into three different categories corresponding to what you know (knowledge-based), what you have (ownership-based), and what you are (inherent-based). Table 1 summaries our investigation on the existing authentication methods. The first drawback of knowledge-based is to memorize many passwords and passwords that are complex and difficult to remember, which can lead to confusion between passwords. The second is shoulder surfing, in which an outsider can track the user's keyboard. Passwords are easily attacked by dictionarybased and exhausted methods. It is worth noting that some graphic passwords are also unavoidable with screen capture methods.
In contrast, an inherent-based model is more difficult to break down than a knowledge-based model. However, the lack of this model such as high implementation costs, scars, sunglasses and surgery can cause problems and affect the accuracy of the system. Replay attacks and some fake methods can easily overcome biometric authentication methods. Finally, the ownership model requires users to bring additional physical devices such as security codes, smart cards, and so on. Accordingly, if the user loses his physical device, it will generate some security concerns because anyone who finds it can log into the system. Further intermediate attacks are threats that can cause problems by collecting data sent by users and servers.
Each authentication model has a number of threats and drawbacks that must be considered during the design process, which is summarized in the Table 2.
Since the inception of authentication, a number of methods have emerged. Given the scope of the article, we hereby briefly review the advantages and disadvantages of some of them in Table 3.

Secure Method to Store Authentication Data
A hash table is an abstract data structure commonly used to map key and value pairs. A hash function that computes an index into an array in which an element will be inserted or searched. To compute an index,   Encoding is a method for turning information from a normal format into information that cannot be understood without the means of decoding it. Encryption is essential to secure sensitive information that is passed through two nodes on the network. It is the method of providing data security and end-to-end protection of the data. Encryption is often used to ensure that users' personal data is transmitted, stored securely, and free from malicious attacks or hacks. This encryption keeps the data protected and can only be read by the person holding the secret key.
A linear dimension reducing transform that projects the profile and the verification data to a lower dimension space, while preserving relative distances of the vectors and so correctness of authentication.

Ensure the Integrity of User Authentication Data
User authentication data needs to be absolutely secure. In particular, this data needs to be guaranteed to not be changed to pass the authentication step of the system. There have been many attacks on user databases to steal and modify user in-formation for many nefarious purposes. This leads to the need for storage methods to ensure the transparency and integrity of the data. With these strict requirements, blockchain becomes a potential candidate with its preeminent characteristics. Blockchain technology is commonly known for its applications in the monetary and banking sectors, but it works a little differently from the typical banking system. Instead of relying on centralized regulators, it guarantees the functionality of the blockchain through a set of nodes. This technology ensures immutability, blockchain keeps the information in the best security, not lost, modified and stolen. Transparency and makes it anti-corruption where every node on the system has a copy of the digital ledger. Same rules of consensus so that every node needs to check the validity of a transaction. One feature of blockchain is that once transaction blocks are added to the ledger, no one can go back and change it. Another potential approach is IPFS, which works by storing data on the network in the form of a file structure 29 . This file structure is Merkle DAG, which combines a Merkle tree (which is a form of hash tree to ensure immutability) and Guided Ring Graph (used in Git version control, which also allows users to see content version on IPFS). Usually a website requires centralized data storage for its files in the server to be able to do so. Operating with great advantages over http, IPFS is immune to DDoS attacks, which cause a lot of internet resources concentrated today. Another advantage of IPFS is its ability to connect to IoT devices.

Efficient Authentication Process
Most authentication processes require users to provide personal information for authentication, which leads to users having to provide too much sensitive information, and obviously this is a matter of concern. Therefore, the authentication process should only require a small amount of data or even part of a user information field. While providing little data, the authentication process must prove that this data is part of the entire user authentication data.
Besides, we can use an Ethereum address as an identifier (no username or password is required) and the authentication process will be done through smart contracts. This process is described simply by the following steps: 1. User requests access to the service.
2. Service provider sends some challenging questions to the user.
3. User use the private key of their Ethereum account to sign the answer then submit the signed answer.
4. Service provider call the smart contract to verify answer, signature and user address.
With this approach, service providers will not have to store user data, so user data privacy is guaranteed. Besides the authentication process is done by smart contract, and this contract is immutable so the authentication result is transparent and reliable 8,30 .

CONCLUSION
There are many methods of user authentication for online learning systems, but each method will have different advantages and disadvantages and has not completely solved the challenges of user authentication. The issue of user authentication still has many challenges that need to be solved thoroughly to improve the security of the system as well as the trust of users and society. In addition, we propose a number of feasible approaches to improve user data privacy as well as improve the effectiveness of the authentication process in the online learning system.
In the future we will study and propose an effective authentication and identity management solution for online learning systems that not only ensures security but also enhances the privacy of users' data.