Security and UX are in Harmony in Canvas Mobile

JuditTarnoy
Instructure
Instructure
‎05-28-2025 09:00 AM
7
2554

Canvas (1) (2).png

 

 

 

We're excited to share updates to how Canvas handles mobile sessions! Following up on our previous discussions about balancing security and user convenience (see previous article), we've implemented key improvements to the mobile logout experience. These changes provide a more standardized and intuitive user experience while ensuring the continued security of user accounts and logins.  

Smarter Session Handling 

Users with expired sessions cannot use the application without re-authentication. With so called “forced logouts”, users risk losing their unfinished work as well as their link to receive any push notifications.  We’ve improved the mobile logout process to enhance user experience and keep them in their workflow.

Institutions can set a session expiration time period from the user's last login (for up to 2 days) using a Plugin enabled by your institution’s Customer Success Manager (CSM). In the web application, Canvas can differentiate between active and inactive users, but we do not have that same information for mobile users. That type of session expiry would affect all mobile users, both for active and inactive as well.  

Instead of being logged unexpectedly, users will now receive a notification asking to re-authenticate. This not only provides clarity but also allows users to keep their in-progress work, quizzes, or actions in memory. Upon successful re-authentication, users can seamlessly continue their work, wherever they left off.

iOS Session Time Out MessageiOS Session Time Out Message

Key User Value Highlights:

  • Mobile Session Expiration Handling: Even if a session expires while a user is active, data entered or captured before the expiration will be cached. This ensures that users can continue their work without losing progress once they successfully re-authenticate or until they close the login screen.  
  • Push Notifications stays live: Push notifications will remain active with the new solution. This means that users will not be unsubscribed from push notifications, which could lead to duplicate notifications, as they are during ordinary logouts.
  • Preservation of Local Data: Typically, personalizations and offline content are deleted during regular logout. Our new solution allows us to retain this data in encrypted device storage. However, this data remains inaccessible until the user successfully logs back in. The user will be unaware of this process upon re-login. 
  • Informative Interruption: We display an informative message to the user to assure them that their data is safe and secure and what is the next step.

Supported Use Cases:

This update addresses a wide range of use cases when the session time-out has to be managed to provide a more robust and secure mobile experience. If a device reached the session expiry, it will show the session-time out information message at the next user action in the following situations

  • Expired session while user is actively using the device: The user receives a session-time out information message and can log back in to continue their work.  
  • Expired session while the app was in the background: The user is prompted to log in upon returning to the app via bringing it back to foreground.
  • Shared iPad, login with a different user: If a new user attempts to use the mobile app on a shared device, and session-time expired meanwhile and the previous user did not log out, the new user will be prompted to log in, and the previous user will be automatically logged out. 
  • Wrong credentials: If the user provides the wrong password on the login screen, there is no change in the flow, as soon as the user closes the login screen app will log out the user.   
  • Mobile token was deleted: The user receives the same session-time out information message and prompted to log in again.
  • SIS Rollover: The session handling plugin is designed to integrate with SIS rollover processes to ensure appropriate access control during these transitions. 

FAQ

  • Q: What does this update do?
    • A: This change allows mobile app users to see a notice indicating it is time to reauthenticate (i.e., re-login) when the session timeout period has expired.  
  • Q: When will this update be available?
    • A:  Already in the production environments.  
  • Q:  How can I kick users or Kick all users on mobile ?: 
  • Q: Are teachers also impacted by this new plugin?
    • A: The updated system respects session timeout policies for all user roles, including instructors and observers.
  • Q: How do I set session timeout periods?
    • A: Please contact your CSM

Considerations

While many institutions have established policies around session timeouts and technology logouts—often driven by security and compliance requirements—it's worth pausing to consider how these practices translate to the mobile environment. For institutions currently evaluating or refining their mobile security approach, there’s an opportunity to align policy with platform-appropriate UX principles.

In advising on mobile UX and security best practices, I generally encourage teams to reconsider applying web-style session expiration patterns to native mobile apps. Unlike web platforms, native apps are designed to deliver a persistent, frictionless experience. Introducing frequent forced logouts or timeouts can disrupt that flow—especially for users who rely on the app regularly or in time sensitive moments.

A more user-centered and secure approach is to encourage intentional logouts, particularly on shared devices. By providing clear sign-out options and educating users on responsible session management, you can maintain strong security standards without compromising the user experience.

Session expiration should be treated as an exception, reserved for specific risk scenarios, rather than a default pattern in mobile environments. Striking the right balance between usability and security not only enhances trust but also drives better engagement.

What Is Next?

As part of our continued focus on improving the mobile experience in Canvas, especially around authentication and user session management, we're also looking ahead to more accurate and meaningful insights into mobile app engagement.

Next on our roadmap is Hybrid User Tracking—an approach that measures activity based on both app foreground usage and active interactions. This will allow us to track mobile usage more precisely, ensuring user data reflects actual engagement rather than background activity.

If mobile usage insights are important at your institution, or if you have existing tracking strategies you’d like to share, we welcome your feedback. Please feel free to add your thoughts as comments to this blog post!

Labels
7 Comments
christine_cair1
Community Explorer
‎05-29-2025 08:50 AM

We like the option to have a session expiration time period however, the concern we are running into is that the mobile device is allowed to access a "quiz/exam" at the same time as a PC access.  We are finding users are accessing a quiz on their laptop while simultaneously accessing the same course and quiz from mobile.  They switch back and forth and are able to submit answers after checking other content in the cousre to acquire the answer.  It would be great if the quiz feature did not allow multiple log ins.  

I see the user point that if a PC is used and there is an issue, you want a user to be able to use another device.  I see this would be beneficial for a one (1) time / chance but not continually during the same timeframe.  Perhaps if you starting with one and switch to other.. you can't go back.. as a type of "lockout" would help us avoid this issue.  We have had a huge upswing last semester and many integrity issue investigation that we would like to avoid.  

Open to solutions to avoid.

 

paul_fynn
Community Coach
Community Coach
‎06-08-2025 01:09 AM

Hi @christine_cair1 ,

I'm cross referencing this to a similar discussion here:- Multiple Student Logins as this overlaps with a discussion about students running multiple sessions or having a proxy logged in on their behalf.

As you identify, additional device/browser lockout may be a way forward - our in-house discussions this week were around 1) The new quiz LTi failing to accurately reflect the browser in use and 2) The desirability of recording the MAC (device) address as well as the IP.

0 Likes
dbrace
Community Coach
Community Coach
‎06-08-2025 07:39 AM

@paul_fynn, I am not sure how well Instructure will be able to capture MAC addresses. Someone else might be able to speak with more authority but I do not believe that Instructure would be able to record that without (potentially significant) changes to the different components of their environment(s) and adjustments to their terms of service or privacy policy.

I would like to mention that Instructure does not correctly document user agents from the Mac operating system. I am logged into two different Canvas user accounts on a Mac using Sequoia 15.5 (currently, the latest version), one-time from Microsoft Edge and another time from Safari.  Below are the user agents that Instructure recorded:

  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 Edg/137.0.0.0
  • Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/18.5 Safari/605.1.15

My institution's login provider (Okta) is able to report that I am using Mac OS 15.5.0 (Sequoia), even from my personal computer.

I also caution relying solely on IP addresses because of privacy options available to iCloud+ users. While I am redacting portions of them, Canvas has recorded me as accessing Canvas from two different IP addresses from the same computer:

  • Microsoft Edge = 72.94.YYY.ZZZ (my actual IP address)
  • Apple Safari = 104.28.YYY.ZZZ
    • my IP address as routed though iCloud Private Relay
    • if I disable Private Relay and turn it back on, my IP address changes to something else but still starts with 104.28.YYY.XXX

When combined togethert the different pieces of data can help to determine multiple logins and locations and devices but they should not be relied on by themself and conversations should be had so that a narrative can be documented.

-Doug

paul_fynn
Community Coach
Community Coach
‎06-09-2025 02:35 AM

Thanks @dbrace, that's in line with our experience, and we also have dynamic IP addresses in play on Campus that obfuscate the picture further. Add to that students connecting to national providers via mobile .....

There has to be a concern where the data that Canvas is reporting in the general interface doesn't seem always to correspond with what is revealed in either the .csv downloads and course or subaccount reports, nor in the New Quiz moderate function. This can mean that teachers and QA colleagues can easily be misled as to what the "true" picture is for a particular assessment, location and user. This could have serious consequences for academic misconduct proceedings and outcomes, and the possibility of students 'lawyering up' to challenge any adverse outcomes based on a highly nuanced data picture......

 

 

JuditTarnoy
Instructure
Instructure
Author
‎06-19-2025 06:46 AM

Hi christine_cair1, this is a good point, let me clarify with the Quiz team about their plan and come back to you

0 Likes
JuditTarnoy
Instructure
Instructure
Author
‎06-19-2025 06:50 AM

In regards of the IP address tracking @dbrace , @paul_fynn  I also involving more colleagues from the web application team. Thank you for your patience. 

Susan27
Community Participant
‎07-24-2025 02:29 AM

The improvements for end users you've implemented is great. However, we would appreciate if you could facilitate the option to easily set a separate session duration for the teacher and student apps.