cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log Off all Devices

Log Off all Devices

(16)
Idea is currently in development

In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

37 Comments
rseilham
Community Coach
Community Coach

You bring up an excellent point in this post. There are quite a few institutions that use their own authentication methods, especially large universities with lots of users. 

The only way to log off remotely for all devices is to delete the Approved Integration for the iOS or Android app(s) in the user settings on the web. 

258921_Screen Shot 2017-11-05 at 1.39.56 PM.png

I'm not sure if an admin can do this on behalf of the user though? Either way, this could be the workaround, but I think something more "official" would be a good feature.

mzucal
Community Contributor

I suppose if the admin was masquerading as the user they could. What I'm reffering to is also being able to do it unmass.

jpruden
Community Participant

I had previously requested that Instructure get off their collective tails and implement a fix for this to match the security of the website, but they've made it very clear that iPads will always be second class citizens on this platform.

Short version:

Website: 15 minutes of no activity = logoff

iPad app: forever tokens = never log off ever for anything even if someone's account is disabled, password changed or other actions.

It's just not acceptable and may be in violation of other regulations that require systems to protect student information by logging out after some timeout period.

I'm going to ask all of our faculty to vote on this one to see if we can get their attention.

BTW You can request an "everyone logout" from your CSM to expire all accounts on some date or time. For now, it has to go through engineering to happen... thus the need for contacting your cheerleader um... CSM for help.

thanks,

Jamie

p_a_hudson
Community Participant

This has caused issues for us. We have tried to remove registrations as a fallback solution. But it's really not acceptable that they can continue to access Canvas after we'll blocked their main University accounts. 

julian_ebeli
Community Participant

Our teachers do not have the rights to delete these tokens from their profile settings. Impersonating them doesn't help

julian_ebeli
Community Participant

We are seeing that retiring teachers are still logged into the Canvas institution via the phone apps. This feature would help manage them as well. (In lieu of deleting their accounts)

MLentini
Community Participant

We just had this come up. Admins can't delete the tokens while masquerading. There are a couple of kludgy ways to do it (create a second login for that user, etc.), but this could certainly be a lot cleaner. 

MLentini
Community Participant

It would be lovely to have an API endpoint for this. We script some of our authentication/de-authentication work, so it would be ideal to automate this for Canvas as well. 

p_a_hudson
Community Participant

Agreed. An API is the only acceptable way forward for us. Everything account related is automated from our Identity system. A 'manual solution' wouldn't work for us. 

blong
Community Participant

We have had issues with this as well.  I had to administratively change an account's password after it appeared the student's account was compromised.  The account was still being accessed through the mobile device.  After consulting with the canvas support call in number, I ended up disabling his access to his courses until I could talk to him to verify the logins.  To protect course and student integrity, it shouldn't take multiple steps to lock a student out of an account.

glathrop
Community Member

For security purposes, login tokens should always have an expiration date. Having to re-enter login information once every 30 to 60 days is a minor inconvenience for a user, but would prevent a lot of problems for a school and for Canvas.

mzucal
Community Contributor

It's just basic security, really

bfowler
Community Participant

Voted up.

While I support the API call of course--who wouldn't--it's useless to my operation because...no API computing support. So a UI button in the console is essential, and SIS import to batch delete tokens by user ID via CSV, thx for the consideration.

meichin
Community Participant

Yikes!  I just learned about this today. I hope that Canvas is able to address this and it gets changed asap!

It amounts to a huge security violation for our university. We may have to disable the app and not allow students to use it at all. For now, however, we did put in a ticket to expire all tokens on our mobile apps. We will continue to do that routinely until this is fixed.

How we found out about it is that the "last login" data was not matching activity for one student (we had a request for last login from the administration). Turns out he was "always" logged into the student app, and was accessing his Canvas sites from there. However, the last login that instructors see is very misleading because the token on the app never expires. This violates the integrity of the last login data that the instructors see. Double trouble!

Please, Canvas engineers, realize that the student app should not have a token that never expires. It should expire at least daily.  Thank you for taking a good look at this!

rseilham
Community Coach
Community Coach

 @meichin ‌ - I do agree with you on this, but one item of clarification, I don't think you can disable the mobile app access. From my knowledge, only Canvas Parent app is behind a feature flag. 

meichin
Community Participant

Thanks - you're right, admins can only turn off the parent app. I'm sure that Canvas can remove the student app from our institution, though, right?  It should be our choice - especially now that we understand the security issue and the problem with tracking the last login.  Phew - what a doozy!

peytoncraighill
Instructure
Instructure

Hi!

This request comes up a couple of times each year and I couldn't find an official Canvas response in the community, so I'll jump into the deep end.

There's no philosophical hold-up to making this an admin-accessible feature -- it just hasn't been done. The current state of the "feature" is: 1) call your CSM and ask them to delete your account's mobile tokens, 2) CSM creates a ticket for engineering to delete your account's mobile tokens, and 3) engineering deletes your account's mobile tokens. (If you want that process to feel even more like 1996, try faxing the request to your CSM!)

Additionally, any individual student can delete their own tokens at any time. There's also an awkward way for admins to delete any individual's tokens, which is to add another username/password to the user, and then log in as that user to remove their tokens.

The reason this idea hasn't gotten more traction in development is because these workflows (workarounds?) exist. It's totally possible that reason isn't good enough. There are a few requests mentioned in this thread to address the problem, all aimed at forcing the student(s) to reauthenticate from mobile:

  1. Add a button for admins to delete all mobile tokens at an account/sub-account on demand.
  2. Add the ability for admins to delete individual tokens -- via masquerade, or from a user's profile, or through any mechanism less painful than adding a second login.
  3. Add API support for deleting tokens.
  4. Automagically delete tokens for any user when their password is changed (would only apply for Canvas authentication).

For what it's worth -- and this is philosophical -- I think the cost of allowing accounts to establish a preset lifetime for mobile tokens isn't worth the pain inflicted on users at accounts that would choose to establish a lifetime of one day, or one hour. We'd probably sooner allow an account to just disable mobile access altogether. But what's probably more sane than both of those options is adding fingerprint/facial authentication to the apps and not touching the token lifetime (i.e., you went through some significant rigmarole to get this token, now use your fingerprint to access it).

Any additional commentary you have on how you'd prioritize these requests or anything else I said is welcome!

meichin
Community Participant

I would like to have admin button to set a schedule to delete ALL mobile tokens (like every 90 days).  I promise I would not set that to an hour. Perhaps you could set 30 days or something as a minimum and if for some reason we needed to delete tokens sooner we could put in a ticket for that. That said, I could also see instances where we would need to just go to one user's account and quickly delete a token with one button push. Having both of these options would solve our issues. Thank you so much for posting these potential solutions!

MLentini
Community Participant

Honestly, a button on the user profile page that says "nuke this user's tokens" (or something like that) would at least solve the high-priority problem. And that seems relatively easy to do. The API call would be nice, because then we could just plug the call into our script for disabling accounts. 

I think there are three different scenarios emerging here:

  1. Delete tokens for a single user, or for a batch of users who are leaving the institution. This happens every quarter; it's just a part of our business as academic institutions.
  2. Delete everyone's tokens. This has never come up for us. I can see the general security concern for this, though. 
  3. Disallow mobile access. 

If I had a vote, or was in charge of the world, I'd probably advocate for them in roughly that order. 

Marc

cfrodrig
Community Participant

 @peytoncraighill ,  

Thanks for your post. If Canvas were to explore adding fingerprint/facial authentication/pin code/etc. to the apps and not touching the token lifetime, can you comment on whether it would be required or optional for the user? Would institutions be able to decide that as a setting? 

Aside from that consideration, we'd probably find both (#1) an admin button to delete tokens and (#3) API support as an improvement for us. Somewhat related, we also found and are voting up this idea (Disable/Deactive User at Account Level), as that would also be a welcome improvement for us. Thanks again.