The Okta vulnerability allowed accounts with long usernames to log in without a password

In a new security advisory, Okta revealed that its system had a vulnerability that allowed people to log into an account without providing the correct password. Okta skips password verification if the account has a username of 52 characters or more. In addition, its system had to find a “stored cache key” for previous successful authentications, meaning the account holder had to have a previous history of logging in using that browser. It also did not affect organizations that require multi-factor authentication, according to a notice the company sent to its users.

However, a 52-character username is easier to guess than a random password — it could be as simple as a person’s email address with their full name and their organization’s website domain. The company acknowledged that the vulnerability was introduced as part of a general update that came out on July 23, 2024 and only discovered (and fixed) the problem on October 30. Now it advises customers who meet all the conditions of the vulnerability to check their access record for the past few months.

Okta provides software that makes it easy for companies to add authentication services to their system. For organizations with multiple applications, it provides users with single, unified sign-on access so they don’t have to verify their identity in each application. The company did not say whether it knew anyone affected by the problem, but it promised to “immediately communicate with customers” in the past after the Lapsus$ threat group accessed several user accounts.