cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Log Off all Devices

Log Off all Devices

(17)
This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2022-01-05)


In Canvas mobile apps the log in token never expires; much like Facebook's mobile app retains a password.

 

When an institution has their own authentication system, they don't use the internal Canvas authentication. If a user changes their password within the authentication system at the institution, the user is never logged out of the Canvas mobile apps, unless that user intentionally logs out of the Canvas app. This is a potential security risk.

 

In Facebook a user can choose to log out of all devices. This is especially useful if the user's password has been compromised, or a device has been stolen. 

 

I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution.  Admins may need to log users out of the mobile apps if they have been terminated or an institution owned device has been stolen.

 

For example Sally has logged into the mobile Canvas app on her IPhone, IPad, and desktop/laptop browser. Sally should be able to log out of any of these connections, or all of them, from within Canvas. A possible location for this feature could exist within the user profile.

 

I have attached a screen shot of the feature in Facebook as reference.

41 Comments
p_a_hudson
Community Participant

Imagine if a student has been suspended for illegal activity, such as bullying another student and every other system has revoked their access, but the mobile app continues to allow that harassment to continue. That's not really acceptable is it? There are many reasons we need the token to be cleared. But this is the most serious one that we've experienced in the past. 

We really do need an api and interface option to revoke their tokens. 

cms_hickss
Community Contributor

The original request here was for an option to "Log Off All Devices". This I am for, for the reason stated, a user (because students aren't the only ones to lose their phone/devices) would have the ability, should the user's phone or account be compromised... to change the password and tell all other ways of accessing Canvas to revoke that "OLD" access.

This would have a second benefit that if a user clicks that "Log Off of All Devices" --or let's be honest, the browser "Log Out" button should be doing this-- make the user use the password that Canvas should be looking for as set on the "Authentication Settings" page.

mzucal
Community Contributor

My idea was originally to allow admins to globally, or individually, log off users from all devices. Allowing users to do this from their profile would be helpful as well.

cms_hickss
Community Contributor

My apologies, I took this line "I would like to have a similar feature available to users within Canvas. This feature should also be available to admins for any user in the Canvas user database at their institution." to mean you were requesting the feature for both users (students, teachers, etc) and admins.

jpruden
Community Participant

Hi Susan,

This is how "other apps" handle the "forever token" issue (they log out of all devices by default when passwords are changed). When I originally brought this up with our CSM, the answer back from Product Development/Engineering was "Well, everyone does it this way."... so I tested it. Facebook does it this way as did most of the other apps that "remembered" logins.

In checking around, I also found out that Schoology follows Canvas with their mobile app with the forever token. Doesn't Instructure want to be able to tell folks that they have better security than Schoology?

Looks like it's time to sic everyone on this one.

smiles,

Jamie

jpruden
Community Participant

Agreed... no need for hours, just add option for "Now", "Every XX" days, and "Yearly on XX date".

I don't see the issue with forcing all users to reauthenticate into the app... they enter their password to get on the wireless, check their e-mail, and access grades in our SIS... why not on our LMS?

jpruden
Community Participant

Also agreed... since our CMS is able to ask engineering to do this, it's scriptable at some level. I'd love to see "nuke one" and "nuke all" commands for Admins.

And I LOVE LOVE LOVE the idea behind "disallow mobile access"... with all of the issue with the mobile versions of Canvas, this would *force* students to use the full, web version (which would log them out after 15 minutes of inactivity, but I digress...)

cms_hickss
Community Contributor

Yes, I am aware that this is how facebook handles things. That wasn't my point. My point was, to get what was being asked for clarified. Because if we aren't clear then Canvas might only put option A into the system because they didn't know people also wanted B.

  1. a USER driven "Log Out of All" functionality (ie, a user no matter their role in the system can do this for themselves)
  2. an ADMIN driven "Log Out of All" functionality, which then has two parts
    • system-wide, all users, at once
    • single user (ie, one at a time)
jack0x539
Community Participant

Excellent information there  @peytoncraighill ‌, thank you. We've now automated the removal of mobile access tokens, in situations where the user is banned/disabled from our institution's IT systems for whatever reason.

- create a canvas login for the user

- delete their mobile access tokens

- delete the canvas login we created at the start

Cheers

Jack

ana_mataksiviou
Community Member

This looks like a potential security issue to me. It feels wrong that it's possible to remove access from the web browser, but not the app! I.e. that we can control access to the web Canvas but not the apps.

jfountain
Community Participant

Yikes, how can this be a thing?  Instructure--it's security 101.  A student is dismissed, or an employee is terminated, we disable their account in Active Directory, yet they can still access Canvas indefinitely through the mobile app and never time out?  An instructor could go into their course through the mobile app and do whatever they want after they have been dismissed?  I just learned this today and it's a huge problem that I cannot manage this as the Canvas admin.  I can't even control when our mobile tokens expire.  We must have a way to automate this when a user's account is disabled in Active Directory.

tamara_becker
Community Participant

I voted up!

I have a somewhat related question..

The Student App Login does not have the Stay Signed In checkbox.

What is the Stay Signed In check box do when logging in on a computer-based browser?

This is a capture of the browser login.

Stay Signed In check box

This is a capture of the Student App login.

Student App Log In

jpruden
Community Participant

The Student App NEVER logs out, so there's no need for that button on the iOS app. Forever tokens means "forever"...

smiles,

Jamie

birger_eriksson
Community Participant

This is a serius security issue, and also a problem for admins when there is a diciplinary situation and students may not be allowd to access courses.

The idea came up 2017 and since a lot more students are using the phone app today the problem gets more urgent. It is time to implement this now!

jfountain
Community Participant

Is this still an issue?  I've commented on the severity of this security hole on another post in the past.  I'm amazed this is not higher priority.

Stef_retired
Community Team
Community Team
Status changed to: In Development
 
jpruden
Community Participant

OMG. Thank you @Stef_retired . You literally just made my year. Now if we can just get it done before California only sells electric cars...

smiles,

Jamie

Stef_retired
Community Team
Community Team
Status changed to: On Beta
 
Stef_retired
Community Team
Community Team
Comments from Instructure

The User Details page allows admins to suspend or reactivate logins for individual users. This change allows admins to manage user access to Canvas.

For more information, please read through the  Canvas Deploy Notes (2022-01-05).

mccleish_haynes
Community Member

This is GREAT to see in development!