A login error in Okta bypassed password verification for certain long usernames.

A security flaw has been reported in Okta's authentication system, which allowed users to access accounts by entering any password, but only if the username had more than 52 characters. This issue was discovered internally on October 30, 2024, and may have been present since an update made on July 23.

The vulnerability originated in the generation of the cache key for the AD/LDAP DelAuth authentication method. Under specific circumstances, when checking the cache of a previously successful login session, users could authenticate using only the username, as long as the cache key was stored. For this to work, the agent also needed to be inaccessible or experience high traffic, which would prompt the cache to be queried first.

To address the problem, Okta changed the cryptographic algorithm from Bcrypt to PBKDF2, a measure taken after the vulnerability was identified. The company has urged its clients to review system logs from the past three months if their configurations meet the necessary conditions. So far, no further details have been provided by Okta.