Community help

p_b_rothwell · ‎07-07-2022

Hi Our Security team are requesting we enable Multi Factor Authentication for Canvas for staff and admin. Does anyone have any experience of the implementation of this? With particular reference to the following

General access and user experience.
Authentication of associated technologies (LTI)

Any input would be most welcome

Thanks in advance

Phil

mzimmerman · ‎07-07-2022

Hi @p_b_rothwell

Just to clarify, are you talking about using MFA with local Canvas authentication, or are you using an SSO for authentication into Canvas?

We use MFA (DUO) with our SSO for all users, but it applies to pretty much all services which use the SSO, so the experience is not any different for Canvas than for most of the other services.

Generally speaking, requiring MFA (whether on an SSO or local logins) should not have any impact on LTIs since the user is already authenticated by the time they access the LTI.

p_b_rothwell · ‎07-07-2022

Hi Thanks for responding so promptly

To clarify it is SSO using the Microsoft ADFS portal.

Pleased to note that LTIs will not require additional MFA authentication.

Yes it looks set to be part of a broader MFA rollout, though as Canvas is by far the most utilised system we are trying to manage any potential blowback that might be directed at this system specifically. How did you manage comms? Was it all through your IT department? Or did you have a hand in the messaging ina Canvas specific sense?

Phil

mzimmerman · ‎07-07-2022

The process was handled by the Identity Management team that manages the SSO. The basic steps were to gradually enable/require MFA for different types of users (first IT staff, then faculty, then students), and initially only on specific services (the SIS, then email, then Canvas, then everything else), so that almost everyone had experience using MFA on at least one other service before it was required on Canvas.

Because of that, there wasn't a whole lot of Canvas-specific communication beyond the usual channels like campus newsletters and Canvas announcements. The Help Desk also had to be brought up to speed helping people get MFA set up and troubleshooting.

There were a couple of gotcha's, of course, like students who got used to using fingerprint scanners on their MacBooks to approve MFA and finding that that method didn't work with LockDown Browser, so they needed a second device.

p_b_rothwell · ‎07-08-2022

Thanks this is really helpful and sounds consistent with what we're looking at. I don't suppose you have a timeline or any project documentation you could share?

Alternatively I'd be happy to arrange a call if you could spare the time

Many thanks

Phil

mzimmerman · ‎07-08-2022

Since I was only involved tangentially, I'm afraid I don't really have any documentation I can share, beyond the high-level strategic plan that talks in general about expanded use of two-factor authentication, and the standard help documents that we have posted for users.

[ARCHIVED] Multifactor authentication and user experience.

Archived

Questions

You're signed out

[ARCHIVED] Multifactor authentication and user experience.

Archived

Questions

Community help

View our top guides and resources: