Update!!!

(12/02/2023) The feature got postponed for various reasons, but it is still on the roadmap and we are reviewing it on a quarterly basis. I will update this blog post once we put it in  motion again.

Introduction to the problem

When you open the Canvas mobile apps, they keep you logged in, even if you put the app to the background or close it completely. This behavior adds convenience for the users and is typically what we expect from a mobile application in 2022. But many times convenience comes with sacrifice. In discussions with various institutions, we've discovered that keeping users logged in can be cause for concern in certain situations such as:

• The device is shared in a classroom
• The device is stolen or lost
• The device is lent to somebody else
• Canvas being compliant with the institutions’ security policies

Solution

The ideal solution finds the balance between user experience and security. What seems perfect for one might be a problem for another. It looks like there is no “one size fits all”. 

Instead of detailing the discovery and design process that we’ve undertaken, I will mention some key results. During interviews with some Canvas institutions, we considered pin code authentication, biometric authentication, and several different versions of the token based authentication. I won't detail the pros and cons of each solution; I will just describe the solution—we think—might be acceptable for the use cases we are aware of.

Most importantly, we will stick to token-based authentication. This is how the applications work today, but we will add new configuration options at the institution/account level. Your customer success manager will help you to configure those settings. 

If desired, you will now be able to limit the duration of the mobile session based on two new settings:

• Setting 1: Absolute expiration time (hours since login)
• The value must be provided in Hours
• The minimum time period is 48h
• Setting 2: Sliding expiration time (hours since last activity)
• The value must be provided in Hours
• The minimum time period is 4h

If configured, you must choose values for BOTH settings; you cannot have only Setting 2 or Setting 1.

About Setting 1: The Absolute expiration time (hours since login)

This setting ensures the user has a persistent mobile session, regardless of their activity, until the timer expires. Once the timer expires, Canvas switches to using the activity based timer to determine session persistence.

How can the Setting 1 timer expire?

• After I log in to the application and the time configured for Setting 1 has passed
• I am logged out from the application

What happens if the Setting 1 timer expires?

We have 2 possibilities here:

1. I am actively using one of the Canvas Mobile apps when the timer expires
• In this case I will not be logged out because the Setting 2 timer has not yet expired. I can continue using the app until the Setting 2 timer expires (which is not happening since I am actively using the app—see later)
2. I have already closed the application or just put it into the background, so I am not using it actively
   • if the timer has expired, it will ask me to log in (select school and provide credentials)
   • If the timer has not expired, it will let me open the application without logging in and will continue allowing access until I become inactive for the Setting 2 duration
• Next time I open the application, the app will check the Setting 2 timer status and 

Some more information about this setting:

• The Setting 1 timer is running even if I am not actively using the application.
• If the Setting 1 timer is active, I will remain logged in, regardless of activity.
• This timer is neither reset nor stopped after the login action. 

About Setting 2: The Sliding expiration time (hours since last activity)

The sliding expiration time prevents a user from being logged out if they are still active in the application and is always counted from the last activity. Imagine a timer set to 4 hours and then continuously reset when I do any interaction with apps. This timer will only expire if I don’t do anything in the apps for 4 hours. Actions that reset the timer include opening a screen, loading an assignment or submission, reading an inbox message, writing/reading announcements, checking grades. These behaviors are why we often refer to these activities as “time since last activity”. 

How can the Setting 2 timer expire?

• After Setting 1 (time since login) has expired, I am idle and the time configured for Setting 2 has passed
•  After Setting 1 (time since login) has expired and I put the app aside or closed it and the time configured for Setting 2 has passed

What happens if the Setting 2 timer expires?

We have 2 possibilities here:

1. Setting 1 timer is not yet expired → the user remains logged in regardless of setting 2
• In this case I will not be logged out because the app will detect that Setting 1 timer is not expired and it will just reset the Setting 2 timer. I will not even notice that the Setting 2 timer expired. I can continue using the app until the Setting 2 timer expires (which is not happening until I am actively using the app).
2. Setting 1 timer has also expired → the user is logged out
• This can happen only if I am idle;  I did not interact with the application recently. In this case since I am not using the app, I will not notice anything.
• Next time when I start the application (or bring the app into the foreground) it will ask me to log in (select school and provide credentials).

Some more information about this setting:

• The Setting 2 timer is running even if I am not actively using the application.
• If the Setting 2 timer is active, I will remain logged in.

What happens if I am logged out because of these settings?

Don’t worry, no catastrophe, but you will need to log in again, which means selecting the school and providing your user credentials. 

The added value 

These additional settings are how we can ensure that nobody will be logged out while they are actively working in the Canvas Mobile applications while security is still considered. By coordinating with their Instructure Customer Success Manager, the admins will be able to configure the system according to the security policies. As an end user, you would notice one change: from time to time you will be asked to log in to the app again. The frequency of these logins will be managed by the settings set by the institution.

Special thanks to Jesse Poulos (Product Manager of another Canvas team) for helping me put this post together. His team will do the majority of the work. This project is a work in progress and we will definitely let you know when the feature gets released.