Log Off all Devices

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

48 Comments
p_a_hudson
Community Participant

Imagine if a student has been suspended for illegal activity, such as bullying another student and every other system has revoked their access, but the mobile app continues to allow that harassment to continue. That's not really acceptable is it? There are many reasons we need the token to be cleared. But this is the most serious one that we've experienced in the past. 

We really do need an api and interface option to revoke their tokens. 

cms_hickss
Community Coach
Community Coach

The original request here was for an option to "Log Off All Devices". This I am for, for the reason stated, a user (because students aren't the only ones to lose their phone/devices) would have the ability, should the user's phone or account be compromised... to change the password and tell all other ways of accessing Canvas to revoke that "OLD" access.

This would have a second benefit that if a user clicks that "Log Off of All Devices" --or let's be honest, the browser "Log Out" button should be doing this-- make the user use the password that Canvas should be looking for as set on the "Authentication Settings" page.

mzucal
Community Contributor
Author

My idea was originally to allow admins to globally, or individually, log off users from all devices. Allowing users to do this from their profile would be helpful as well.

cms_hickss
Community Coach
Community Coach

My apologies, I took this line "I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution." to mean you were requesting the feature for both users (students, teachers, etc) and admins.

jpruden
Community Participant

Hi Susan,

This is how "other apps" handle the "forever token" issue (they log out of all devices by default when passwords are changed). When I originally brought this up with our CSM, the answer back from Product Development/Engineering was "Well, everyone does it this way."... so I tested it. Facebook does it this way as did most of the other apps that "remembered" logins.

In checking around, I also found out that Schoology follows Canvas with their mobile app with the forever token. Doesn't Instructure want to be able to tell folks that they have better security than Schoology?

Looks like it's time to sic everyone on this one.

smiles,

Jamie

jpruden
Community Participant

Agreed... no need for hours, just add option for "Now", "Every XX" days, and "Yearly on XX date".

I don't see the issue with forcing all users to reauthenticate into the app... they enter their password to get on the wireless, check their e-mail, and access grades in our SIS... why not on our LMS?

jpruden
Community Participant

Also agreed... since our CMS is able to ask engineering to do this, it's scriptable at some level. I'd love to see "nuke one" and "nuke all" commands for Admins.

And I LOVE LOVE LOVE the idea behind "disallow mobile access"... with all of the issue with the mobile versions of Canvas, this would *force* students to use the full, web version (which would log them out after 15 minutes of inactivity, but I digress...)

cms_hickss
Community Coach
Community Coach

Yes, I am aware that this is how facebook handles things. That wasn't my point. My point was, to get what was being asked for clarified. Because if we aren't clear then Canvas might only put option A into the system because they didn't know people also wanted B.

  1. a USER driven "Log Out of All" functionality (ie, a user no matter their role in the system can do this for themselves)
  2. an ADMIN driven "Log Out of All" functionality, which then has two parts
    • system-wide, all users, at once
    • single user (ie, one at a time)
jack0x539
Community Explorer

Excellent information there  @peytoncraighill ‌, thank you. We've now automated the removal of mobile access tokens, in situations where the user is banned/disabled from our institution's IT systems for whatever reason.

- create a canvas login for the user

- delete their mobile access tokens

- delete the canvas login we created at the start

Cheers

Jack

ana_mataksiviou
Community Novice

This looks like a potential security issue to me. It feels wrong that it's possible to remove access from the web browser, but not the app! I.e. that we can control access to the web Canvas but not the apps.