Okta, a leading authentication provider, has revealed a bizarre security vulnerability that allows users with long usernames (52 characters or more) to access protected accounts without knowing their passwords. The vulnerability was discovered on October 30 and resolved the same day in the affected product version of Okta AD/LDAP DelAuth.
According to Okta’s security advisory, if a username is 52 characters or longer, it can trigger a cache key generation process that allows users to authenticate by only providing their username. This means that even without entering a password, these users can access protected accounts.
Okta advises customers who meet the preconditions (July 23, 2024 to October 30, 2024) to review their system logs for any suspicious activity. While the number of affected users is likely to be small, cybersecurity experts consider this vulnerability serious, as it highlights the importance of proper security measures in authentication systems.
Note: The article has been condensed and rephrased to simplify the original content while retaining essential information.
Source: https://www.forbes.com/sites/daveywinder/2024/11/02/username-over-52-characters-no-password-required-says-okta