Security has always been one of Instructure’s core values as we work to develop Canvas for the modern world. The majority of our users leverage one of our many SSO Integrations for logging users into Canvas. However, approximately 12% of login events we see are leveraging a native Canvas username and password. We have heard many requests to improve the customization options available, to enhance the Canvas username / password authentication flow. We are excited to announce some upcoming customization options.

New Functionality

On September 21, we’ll be releasing to Canvas production a feature flag, Enhance Password Options, to enable Admins to customize Canvas authentication provider password options. The Feature will be available for testing in Canvas Beta starting September 11. 

Note: Testing certain aspects of this feature in Canvas beta may be difficult due to the lack of user notifications in Canvas Beta (necessary to complete forgotten password workflows).

Once the feature option has been enabled in Root Account Settings, navigating to a Canvas Instance Root Account -> Authentication and scrolling to the Canvas provider will display a new Password Options section. Clicking on the View Options button will launch a side tray for admins to customize their password options.

A picture of a Canvas Root Account Authentication page with the new password options tray open. The available password options for configuration are visible.

The password options available for customization are as follows:

• Increase the minimum character length for new passwords
• Require a number character in the password
• Require a symbol character in the password
• Add additional custom forbidden words/terms beyond Canvas’ default
• The file type is a .txt file with a single word per row
• Limited to less than 1MB file size (approximately 100k terms)
• This feature will match only if the uploaded term and attempted password are exactly the same
• No partial matches
• Customize the maximum number of failed login attempts allowed in a row before temporarily suspending a user’s login
• Make login suspension persistent
• Requires Canvas administrator to manually unsuspend/reactivate users

The “Current Password Configuration” information box contains the same information that a user will be presented with when they are asked to set a password (as part of both new user and reset password workflows).

A screenshot of a text box from the password options tray containing the current password requirements that a user setting a new password would need to comply with.

Limitations

Some known limitations around these options at the time of initial release but (where possible) intend to be addressed as part of future work include:

• Users with existing passwords not in compliance with updated policies cannot be prompted to update their passwords.
• Passwords are cryptographically hashed in Canvas and not stored as plain text. This means we cannot identify password violations.
• Administrators setting passwords on behalf of another user may not be required to meet the password policy at this time (dependent on configuration options).
• Your institution may not have this functionality enabled. This is an account setting that only Instructure Employees may enable for your account.
• SIS Imports of passwords may not be required to meet the password policy at this time 
• SIS Import errors may or may not be generated after SIS import, depending on configuration options.
• It is recommended that if your institution is uploading passwords via SIS Import, you should validate that the provided passwords are in compliance with configured policies before uploading.

Future State

You’ll see many upcoming enhancements to the authentication experience in Canvas over the upcoming year. We are fully aware that the added functionality as part of this feature release is not comprehensive enough to cover all the needs of all our customers. This work helps lay the foundation for additional features down the road.