Celebrate Excellence in Education: Nominate Outstanding Educators by April 15!
(12/02/2023) The feature got postponed for various reasons, but it is still on the roadmap and we are reviewing it on a quarterly basis. I will update this blog post once we put it in motion again.
When you open the Canvas mobile apps, they keep you logged in, even if you put the app to the background or close it completely. This behavior adds convenience for the users and is typically what we expect from a mobile application in 2022. But many times convenience comes with sacrifice. In discussions with various institutions, we've discovered that keeping users logged in can be cause for concern in certain situations such as:
The ideal solution finds the balance between user experience and security. What seems perfect for one might be a problem for another. It looks like there is no “one size fits all”.
Instead of detailing the discovery and design process that we’ve undertaken, I will mention some key results. During interviews with some Canvas institutions, we considered pin code authentication, biometric authentication, and several different versions of the token based authentication. I won't detail the pros and cons of each solution; I will just describe the solution—we think—might be acceptable for the use cases we are aware of.
Most importantly, we will stick to token-based authentication. This is how the applications work today, but we will add new configuration options at the institution/account level. Your customer success manager will help you to configure those settings.
If desired, you will now be able to limit the duration of the mobile session based on two new settings:
If configured, you must choose values for BOTH settings; you cannot have only Setting 2 or Setting 1.
This setting ensures the user has a persistent mobile session, regardless of their activity, until the timer expires. Once the timer expires, Canvas switches to using the activity based timer to determine session persistence.
How can the Setting 1 timer expire?
What happens if the Setting 1 timer expires?
We have 2 possibilities here:
Some more information about this setting:
The sliding expiration time prevents a user from being logged out if they are still active in the application and is always counted from the last activity. Imagine a timer set to 4 hours and then continuously reset when I do any interaction with apps. This timer will only expire if I don’t do anything in the apps for 4 hours. Actions that reset the timer include opening a screen, loading an assignment or submission, reading an inbox message, writing/reading announcements, checking grades. These behaviors are why we often refer to these activities as “time since last activity”.
How can the Setting 2 timer expire?
What happens if the Setting 2 timer expires?
We have 2 possibilities here:
Some more information about this setting:
What happens if I am logged out because of these settings?
Don’t worry, no catastrophe, but you will need to log in again, which means selecting the school and providing your user credentials.
These additional settings are how we can ensure that nobody will be logged out while they are actively working in the Canvas Mobile applications while security is still considered. By coordinating with their Instructure Customer Success Manager, the admins will be able to configure the system according to the security policies. As an end user, you would notice one change: from time to time you will be asked to log in to the app again. The frequency of these logins will be managed by the settings set by the institution.
Special thanks to Jesse Poulos (Product Manager of another Canvas team) for helping me put this post together. His team will do the majority of the work. This project is a work in progress and we will definitely let you know when the feature gets released.
The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.
Sr Product Manager
To participate in the Instructure Community, you need to sign up or log in:
Sign In
The content in this blog is over six months old, and the comments are closed. For the most recent product updates and discussions, you're encouraged to explore newer posts from Instructure's Product Managers.