Log Off all Devices

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

48 Comments
glathrop
Community Novice

For security purposes, login tokens should always have an expiration date. Having to re-enter login information once every 30 to 60 days is a minor inconvenience for a user, but would prevent a lot of problems for a school and for Canvas.

mzucal
Community Contributor

It's just basic security, really

bfowler
Community Explorer

Voted up.

While I support the API call of course--who wouldn't--it's useless to my operation because...no API computing support. So a UI button in the console is essential, and SIS import to batch delete tokens by user ID via CSV, thx for the consideration.

meichin
Community Participant

Yikes!  I just learned about this today. I hope that Canvas is able to address this and it gets changed asap!

It amounts to a huge security violation for our university. We may have to disable the app and not allow students to use it at all. For now, however, we did put in a ticket to expire all tokens on our mobile apps. We will continue to do that routinely until this is fixed.

How we found out about it is that the "last login" data was not matching activity for one student (we had a request for last login from the administration). Turns out he was "always" logged into the student app, and was accessing his Canvas sites from there. However, the last login that instructors see is very misleading because the token on the app never expires. This violates the integrity of the last login data that the instructors see. Double trouble!

Please, Canvas engineers, realize that the student app should not have a token that never expires. It should expire at least daily.  Thank you for taking a good look at this!

rseilham
Community Champion

 @meichin ‌ - I do agree with you on this, but one item of clarification, I don't think you can disable the mobile app access. From my knowledge, only Canvas Parent app is behind a feature flag. 

meichin
Community Participant

Thanks - you're right, admins can only turn off the parent app. I'm sure that Canvas can remove the student app from our institution, though, right?  It should be our choice - especially now that we understand the security issue and the problem with tracking the last login.  Phew - what a doozy!

peytoncraighill
Instructure Alumni
Instructure Alumni

Hi!

This request comes up a couple of times each year and I couldn't find an official Canvas response in the community, so I'll jump into the deep end.

There's no philosophical hold-up to making this an admin-accessible feature -- it just hasn't been done. The current state of the "feature" is: 1) call your CSM and ask them to delete your account's mobile tokens, 2) CSM creates a ticket for engineering to delete your account's mobile tokens, and 3) engineering deletes your account's mobile tokens. (If you want that process to feel even more like 1996, try faxing the request to your CSM!)

Additionally, any individual student can delete their own tokens at any time. There's also an awkward way for admins to delete any individual's tokens, which is to add another username/password to the user, and then log in as that user to remove their tokens.

The reason this idea hasn't gotten more traction in development is because these workflows (workarounds?) exist. It's totally possible that reason isn't good enough. There are a few requests mentioned in this thread to address the problem, all aimed at forcing the student(s) to reauthenticate from mobile:

  1. Add a button for admins to delete all mobile tokens at an account/sub-account on demand.
  2. Add the ability for admins to delete individual tokens -- via masquerade, or from a user's profile, or through any mechanism less painful than adding a second login.
  3. Add API support for deleting tokens.
  4. Automagically delete tokens for any user when their password is changed (would only apply for Canvas authentication).

For what it's worth -- and this is philosophical -- I think the cost of allowing accounts to establish a preset lifetime for mobile tokens isn't worth the pain inflicted on users at accounts that would choose to establish a lifetime of one day, or one hour. We'd probably sooner allow an account to just disable mobile access altogether. But what's probably more sane than both of those options is adding fingerprint/facial authentication to the apps and not touching the token lifetime (i.e., you went through some significant rigmarole to get this token, now use your fingerprint to access it).

Any additional commentary you have on how you'd prioritize these requests or anything else I said is welcome!

meichin
Community Participant

I would like to have admin button to set a schedule to delete ALL mobile tokens (like every 90 days).  I promise I would not set that to an hour. Perhaps you could set 30 days or something as a minimum and if for some reason we needed to delete tokens sooner we could put in a ticket for that. That said, I could also see instances where we would need to just go to one user's account and quickly delete a token with one button push. Having both of these options would solve our issues. Thank you so much for posting these potential solutions!

MLentini
Community Participant

Honestly, a button on the user profile page that says "nuke this user's tokens" (or something like that) would at least solve the high-priority problem. And that seems relatively easy to do. The API call would be nice, because then we could just plug the call into our script for disabling accounts. 

I think there are three different scenarios emerging here:

  1. Delete tokens for a single user, or for a batch of users who are leaving the institution. This happens every quarter; it's just a part of our business as academic institutions.
  2. Delete everyone's tokens. This has never come up for us. I can see the general security concern for this, though. 
  3. Disallow mobile access. 

If I had a vote, or was in charge of the world, I'd probably advocate for them in roughly that order. 

Marc

cfrodrig
Community Novice

 @peytoncraighill ,  

Thanks for your post. If Canvas were to explore adding fingerprint/facial authentication/pin code/etc. to the apps and not touching the token lifetime, can you comment on whether it would be required or optional for the user? Would institutions be able to decide that as a setting? 

Aside from that consideration, we'd probably find both (#1) an admin button to delete tokens and (#3) API support as an improvement for us. Somewhat related, we also found and are voting up this idea (Disable/Deactive User at Account Level), as that would also be a welcome improvement for us. Thanks again.