Okta vulnerability allowed accounts with long usernames to log in without a password

In a new security advisory, Okta has revealed that its system had a vulnerability that allowed people to log into an account without having to provide the correct password. Okta bypassed password authentication if the account had a username that had 52 or more characters. Further, its system had to detect a “stored cache key” of a previous successful authentication, which means the account’s owner had to have previous history of logging in using that browser. It also didn’t affect organizations that require multi-factor authentication, according to the notice the company sent to its users.

Still, a 52-character username is easier to guess than a random password — it could be as simple as a person’s email address that has their full name along with their organization’s website domain. The company has admitted that the vulnerability was introduced as part of a standard update that went out on July 23, 2024 and that it only discovered (and fixed) the issue on October 30. It’s now advising customers who meet all of the vulnerability’s conditions to check their access log over the past few months.

Okta provides software that makes it easy for companies to add authentication services to their application. For organizations with multiple apps, it gives users access to a single, unified log-in so they don’t have to verify their identities for each application. The company didn’t say whether it’s aware of anybody who’s been affected by this specific issue, but it promised to “communicate more rapidly with customers” in the past after the threat group Lapsus$ accessed a couple of users’ accounts.