Okta has disclosed a security bug that could have allowed attackers to bypass authentication using only a username. The issue affects users with long names and/or employers with verbose domain names, particularly those with usernames exceeding 52 characters.
The bug could be exploited under specific conditions, including when the targeted account had a successful login attempt stored and multi-factor authentication (MFA) was disabled. Okta discovered the issue on October 30 and fixed it immediately.
To mitigate this vulnerability, Okta recommends implementing MFA at minimum and enrolling users in phishing-resistant authenticators. Brave security engineer Yan Zhu suggests using the SHA-256 algorithm to mitigate the impact of the bcrypt algorithm’s input limitations.
Source: https://www.theregister.com/2024/11/04/why_the_long_name_okta