Log Off all Devices

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

48 Comments
KristinL
Community Team
Community Team
Status changed to: Complete
Comments from Instructure

 

For more information, please read through the Canvas Deploy Notes (2022-01-05) 

chadscott
Community Contributor

@KristinL perhaps I'm not reading the "suspend user" notes well, but it seems the suspend user account does not address the issue of the feature request at all.

"suspending the user from the account will remove all access to all authorized systems from all their logins. The user will not be able to access Canvas using any login method from any previously authorized tool, such as a mobile device."

- So this blocks their ability to login at all. This isn't what the request was about. It asks for a way to remove authorized access tokens for mobile devices, so the device is logged out of the user account.

- If the user was logged into an app on a mobile device, are they logged out? It seems like this does nothing to existing authorization keys and that suspending a user would NOT log them out of the mobile device, but if they logged out, they wouldn't be able to log back in.

I'm not sure why this new feature was tied to this request.

Cheers,
Chad Scott

KristinL
Community Team
Community Team

Hi @chadscott -

Thank you for pointing this out. You're correct; the Notes don't reference tokens. There are a few ways in which this mixup may have occurred. I'm looking into things and seeking clarification from a few teams. As soon as I have identified all the pieces and have a good summary for everyone, I'll update this thread. 🙂

jozsefdavid
Instructure Alumni
Instructure Alumni

Hi @chadscott !

Please look at this blog post. I believe it addresses the original request.  There is another blog post about the mobile session expiration. It is under active development today, so you can expect it in the near future. This will not completely address the original request, but based on the settings (defined by the schools) the mobile users will be asked to login again from time to time.

danielcktan
Community Contributor

We have a recent security breach due to the "never expire login tokens".

This results in unauthorised access to other accounts and spam messages sent to several teachers from the compromised student accounts.

The recent mass password reset does not resolve the issue due as students who have not log out from the app can continue to access the account even when the login password has changed.

We tested the solution deployed on 05 Jan 2022.

Based on my test, if the user tries to log in when the account is suspended, this will clear the login tokens.

However, during the suspension period, if the user is not accessing any accounts, he will continue to be able to stay login when the account is being re-activated.

Hence, the deployed solution does not solve our existing problem. 😕

jpruden
Community Participant

@danielcktan Yes... this is exactly the problem with not having some sort of functionality that allows Admin access to reset and expire all tokens.

You can contact Instructure Support to get them all expired and locked out... and a button would be better.

Been asking about forever tokens for about 7 years. Sorry to hear this...

KristinL
Community Team
Community Team
Status changed to: New
 
KristinL
Community Team
Community Team
Status changed to: Completed