Security and UX are in Harmony in Canvas Mobile

JuditTarnoy
Instructure
Instructure
6
1341

Canvas (1) (2).png

 

 

 

We're excited to share updates to how Canvas handles mobile sessions! Following up on our previous discussions about balancing security and user convenience (see previous article), we've implemented key improvements to the mobile logout experience. These changes provide a more standardized and intuitive user experience while ensuring the continued security of user accounts and logins.  

Smarter Session Handling 

Users with expired sessions cannot use the application without re-authentication. With so called “forced logouts”, users risk losing their unfinished work as well as their link to receive any push notifications.  We’ve improved the mobile logout process to enhance user experience and keep them in their workflow.

Institutions can set a session expiration time period from the user's last login (for up to 2 days) using a Plugin enabled by your institution’s Customer Success Manager (CSM). In the web application, Canvas can differentiate between active and inactive users, but we do not have that same information for mobile users. That type of session expiry would affect all mobile users, both for active and inactive as well.  

Instead of being logged unexpectedly, users will now receive a notification asking to re-authenticate. This not only provides clarity but also allows users to keep their in-progress work, quizzes, or actions in memory. Upon successful re-authentication, users can seamlessly continue their work, wherever they left off.

iOS Session Time Out MessageiOS Session Time Out Message

Key User Value Highlights:

  • Mobile Session Expiration Handling: Even if a session expires while a user is active, data entered or captured before the expiration will be cached. This ensures that users can continue their work without losing progress once they successfully re-authenticate or until they close the login screen.  
  • Push Notifications stays live: Push notifications will remain active with the new solution. This means that users will not be unsubscribed from push notifications, which could lead to duplicate notifications, as they are during ordinary logouts.
  • Preservation of Local Data: Typically, personalizations and offline content are deleted during regular logout. Our new solution allows us to retain this data in encrypted device storage. However, this data remains inaccessible until the user successfully logs back in. The user will be unaware of this process upon re-login. 
  • Informative Interruption: We display an informative message to the user to assure them that their data is safe and secure and what is the next step.

Supported Use Cases:

This update addresses a wide range of use cases when the session time-out has to be managed to provide a more robust and secure mobile experience. If a device reached the session expiry, it will show the session-time out information message at the next user action in the following situations

  • Expired session while user is actively using the device: The user receives a session-time out information message and can log back in to continue their work.  
  • Expired session while the app was in the background: The user is prompted to log in upon returning to the app via bringing it back to foreground.
  • Shared iPad, login with a different user: If a new user attempts to use the mobile app on a shared device, and session-time expired meanwhile and the previous user did not log out, the new user will be prompted to log in, and the previous user will be automatically logged out. 
  • Wrong credentials: If the user provides the wrong password on the login screen, there is no change in the flow, as soon as the user closes the login screen app will log out the user.   
  • Mobile token was deleted: The user receives the same session-time out information message and prompted to log in again.
  • SIS Rollover: The session handling plugin is designed to integrate with SIS rollover processes to ensure appropriate access control during these transitions. 

FAQ

  • Q: What does this update do?
    • A: This change allows mobile app users to see a notice indicating it is time to reauthenticate (i.e., re-login) when the session timeout period has expired.  
  • Q: When will this update be available?
    • A:  Already in the production environments.  
  • Q:  How can I kick users or Kick all users on mobile ?: 
  • Q: Are teachers also impacted by this new plugin?
    • A: The updated system respects session timeout policies for all user roles, including instructors and observers.
  • Q: How do I set session timeout periods?
    • A: Please contact your CSM

Considerations

While many institutions have established policies around session timeouts and technology logouts—often driven by security and compliance requirements—it's worth pausing to consider how these practices translate to the mobile environment. For institutions currently evaluating or refining their mobile security approach, there’s an opportunity to align policy with platform-appropriate UX principles.

In advising on mobile UX and security best practices, I generally encourage teams to reconsider applying web-style session expiration patterns to native mobile apps. Unlike web platforms, native apps are designed to deliver a persistent, frictionless experience. Introducing frequent forced logouts or timeouts can disrupt that flow—especially for users who rely on the app regularly or in time sensitive moments.

A more user-centered and secure approach is to encourage intentional logouts, particularly on shared devices. By providing clear sign-out options and educating users on responsible session management, you can maintain strong security standards without compromising the user experience.

Session expiration should be treated as an exception, reserved for specific risk scenarios, rather than a default pattern in mobile environments. Striking the right balance between usability and security not only enhances trust but also drives better engagement.

What Is Next?

As part of our continued focus on improving the mobile experience in Canvas, especially around authentication and user session management, we're also looking ahead to more accurate and meaningful insights into mobile app engagement.

Next on our roadmap is Hybrid User Tracking—an approach that measures activity based on both app foreground usage and active interactions. This will allow us to track mobile usage more precisely, ensuring user data reflects actual engagement rather than background activity.

If mobile usage insights are important at your institution, or if you have existing tracking strategies you’d like to share, we welcome your feedback. Please feel free to add your thoughts as comments to this blog post!

6 Comments