Adding Password Options to the Canvas Authentication Provider

jperkins
Instructure
Instructure
12
1997

Canvas.png

Security has always been one of Instructure’s core values as we work to develop Canvas for the modern world. The majority of our users leverage one of our many SSO Integrations for logging users into Canvas. However, approximately 12% of login events we see are leveraging a native Canvas username and password. We have heard many requests to improve the customization options available, to enhance the Canvas username / password authentication flow. We are excited to announce some upcoming customization options.

New Functionality

On September 21, we’ll be releasing to Canvas production a feature flag, Enhance Password Options, to enable Admins to customize Canvas authentication provider password options. The Feature will be available for testing in Canvas Beta starting September 11. 

Note: Testing certain aspects of this feature in Canvas beta may be difficult due to the lack of user notifications in Canvas Beta (necessary to complete forgotten password workflows).

Once the feature option has been enabled in Root Account Settings, navigating to a Canvas Instance Root Account -> Authentication and scrolling to the Canvas provider will display a new Password Options section. Clicking on the View Options button will launch a side tray for admins to customize their password options.

 

A picture of a Canvas Root Account Authentication page with the new password options tray open. The available password options for configuration are visible.A picture of a Canvas Root Account Authentication page with the new password options tray open. The available password options for configuration are visible.

 

The password options available for customization are as follows:

  • Increase the minimum character length for new passwords
  • Require a number character in the password
  • Require a symbol character in the password
  • Add additional custom forbidden words/terms beyond Canvas’ default
    • The file type is a .txt file with a single word per row
      • Limited to less than 1MB file size (approximately 100k terms)
    • This feature will match only if the uploaded term and attempted password are exactly the same
      • No partial matches
  • Customize the maximum number of failed login attempts allowed in a row before temporarily suspending a user’s login

The “Current Password Configuration” information box contains the same information that a user will be presented with when they are asked to set a password (as part of both new user and reset password workflows).

A screenshot of a text box from the password options tray containing the current password requirements that a user setting a new password would need to comply with.A screenshot of a text box from the password options tray containing the current password requirements that a user setting a new password would need to comply with.

Limitations

Some known limitations around these options at the time of initial release but (where possible) intend to be addressed as part of future work include:

  • Users with existing passwords not in compliance with updated policies cannot be prompted to update their passwords.
    • Passwords are cryptographically hashed in Canvas and not stored as plain text. This means we cannot identify password violations.
  • Administrators setting passwords on behalf of another user may not be required to meet the password policy at this time (dependent on configuration options).
    • Your institution may not have this functionality enabled. This is an account setting that only Instructure Employees may enable for your account.
  • SIS Imports of passwords may not be required to meet the password policy at this time 
    • SIS Import errors may or may not be generated after SIS import, depending on configuration options.
    • It is recommended that if your institution is uploading passwords via SIS Import, you should validate that the provided passwords are in compliance with configured policies before uploading.

Future State

You’ll see many upcoming enhancements to the authentication experience in Canvas over the upcoming year. We are fully aware that the added functionality as part of this feature release is not comprehensive enough to cover all the needs of all our customers. This work helps lay the foundation for additional features down the road.

12 Comments
KNGoh
Community Explorer

@jperkins, the password options are very helpful to better align with internal password policies.

It will be excellent if the additional options are available

  1. Option to set a validity lifetime for passwords, i.e. expires after X days
  2. Option to automatically suspend the account if the expired password is not updated after a grace period
marthazumack
Community Contributor

@KNGoh Given that security experts no longer recommend automatically expiring passwords, I'm not sure that's needed! See this advice from the National Cyber Security Centre for example

dbrace
Community Coach
Community Coach

It would be helpful if uppercase characters can also be set as a required type of character.

Out of curiosity, after reviewing the github link with default forbidden words/terms/sequences, why were some of them included by default?

Over time, will Instructure/Canvas be modifying the default list and communicate when those modifications occur?

jperkins
Instructure
Instructure
Author

@dbrace Canvas has had the code for limiting passwords using common words/terms/sequences since 2013. The list is updated periodically by referencing the top 100 most used passwords from Wikipedia's top passwords list. We purposely omit any passwords containing vulgar words from that list as we don't want them in a public repository for an education company. These updates are infrequent (as the most common passwords don't change much anymore), but we can certainly work to include something in our release note if it is updated.

jperkins
Instructure
Instructure
Author

@KNGoh @dbrace Thank you for your suggestions on additional improvements we could make to the policies going forward. I've captured your requests for future consideration during development of this feature.

pgo586
Community Contributor

Has the launch of this feature been delayed at all @jperkins ? I'm not seeing it as a feature option in our Canvas Beta Instance.

RyanNorton
Instructure
Instructure

@pgo586 Thanks for reaching out.  You're correct, there was a small delay on that, but this should be available now.  Can you confirm this is working for you?

adam_marshall
Community Explorer

nope still not working for us (Oxford). Our CSM also said it should be there but it aint.

pgo586
Community Contributor

Yes, it's there now. Thanks @RyanNorton

RyanNorton
Instructure
Instructure

@adam_marshall I'm sorry to hear that.  From what I can see this should be available, if you're still not seeing this in your Beta account please have your CSM reach out to me directly and I can work with them to confirm.

adam_marshall
Community Explorer

it is there, I hadnt enabled the option. d'oh.

RyanNorton
Instructure
Instructure

@adam_marshall Awesome, so glad to hear it!  Let us know if you have any questions!