Selective Two-Factor Authentication for External Users

Duo and Central Authentication Service (CAS) allow us to enable two-factor authentication selectively for our SIS users but we also need selective two-factor authentication for our external users that login through the side door URL.

2FA isn't the ultimate security measure but institutions that use external accounts for admin purposes would probably appreciate bigger padlocks on the side doors. Not all external users would need 2FA but having the option would be awesome.

This idea has been developed and deployed to Canvas

For more information, please read through the  Canvas Deploy Notes (2021-06-09).

9 Comments
A00364575
Community Participant

This probably won't get a lot of votes because it's mostly an admin feature, but that doesn't diminish its importance. This will be a big step for Canvas to continue saying it's the most secure LMS around. Thanks for posting!

mmitchell
Community Contributor
Author

Thanks for up-voting Neal!

ahess4
Community Contributor

I think you are talking about 2FA for internally authenticated accounts in canvas. In that case, 2FA is already available in the open source version of canvas (and has been for quite some time - as in years), and it works great. It even works with the Duo app by adding a new account in the app and scanning the 3d barcode. Couldn't be too hard for Instructure to roll this feature into the production version...

I haven't played around with it and Duo/external authentication, yet. So, I'm not sure if set to 'Required', if that will be for internal auth account only, or potentially apply to external auth and Duo (or any other external 2FA setup) - creating a situation where external auth users have two 2FA prompts when they login. In our situation, only admins have internal auth ability, so 'Required for Admins' would work great for us.

The options for it are: Disabled, Optional, Required for Admins, Required.

271478_Screenshot from 2018-03-23 10-06-47.png

271480_Screenshot from 2018-03-23 10-09-50.png

271481_Screenshot from 2018-03-23 10-19-29.png

271482_Screenshot from 2018-03-23 10-20-05.png

mmitchell
Community Contributor
Author

Required for Admins would be an excellent solution. All of our admin accounts would be covered. Thank you for sharing this. The screenshots are perfect.

Stef_retired
Instructure Alumni
Instructure Alumni
Status changed to: On Beta
 
Stef_retired
Instructure Alumni
Instructure Alumni
Comments from Instructure

 

Canvas Multi-Factor Authentication can be set on a per-authentication-provider basis. This change allows admins to set MFA requirements for individual authentication providers.

For more information, please read through the  Canvas Deploy Notes (2021-06-09).

Stef_retired
Instructure Alumni
Instructure Alumni
Status changed to: Complete
 
KristinL
Community Team
Community Team
Status changed to: New
 
KristinL
Community Team
Community Team
Status changed to: Completed