Log Off all Devices

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

48 Comments
jfountain
Community Participant

Yikes, how can this be a thing?  Instructure--it's security 101.  A student is dismissed, or an employee is terminated, we disable their account in Active Directory, yet they can still access Canvas indefinitely through the mobile app and never time out?  An instructor could go into their course through the mobile app and do whatever they want after they have been dismissed?  I just learned this today and it's a huge problem that I cannot manage this as the Canvas admin.  I can't even control when our mobile tokens expire.  We must have a way to automate this when a user's account is disabled in Active Directory.

tamara_becker
Community Participant

I voted up!

I have a somewhat related question..

The Student App Login does not have the Stay Signed In checkbox.

What is the Stay Signed In check box do when logging in on a computer-based browser?

This is a capture of the browser login.

Stay Signed In check box

This is a capture of the Student App login.

Student App Log In

jpruden
Community Participant

The Student App NEVER logs out, so there's no need for that button on the iOS app. Forever tokens means "forever"...

smiles,

Jamie

birger_eriksson
Community Participant

This is a serius security issue, and also a problem for admins when there is a diciplinary situation and students may not be allowd to access courses.

The idea came up 2017 and since a lot more students are using the phone app today the problem gets more urgent. It is time to implement this now!

jfountain
Community Participant

Is this still an issue?  I've commented on the severity of this security hole on another post in the past.  I'm amazed this is not higher priority.

Stef_retired
Instructure Alumni
Instructure Alumni
Status changed to: In Development
 
jpruden
Community Participant

OMG. Thank you @Stef_retired . You literally just made my year. Now if we can just get it done before California only sells electric cars...

smiles,

Jamie

Stef_retired
Instructure Alumni
Instructure Alumni
Status changed to: On Beta
 
Stef_retired
Instructure Alumni
Instructure Alumni
Comments from Instructure

The User Details page allows admins to suspend or reactivate logins for individual users. This change allows admins to manage user access to Canvas.

For more information, please read through the  Canvas Deploy Notes (2022-01-05).

mccleish_haynes
Community Explorer

This is GREAT to see in development!