Okta fixes a bug that allowed passwordless access with usernames with 52 or more characters

The verification services company Okta has fixed a vulnerability present in its system since July that allowed access to it without the need for a password as long as users entered a name was 52 or more characters long.

Okta is a system used by several organizations and governments in different parts of the world as a single sign-on provider, a service that provides greater security when accessing internal company systems. Among them, hundreds of emails and applications or databases.

The third-party security firm has announced that on October 30, a vulnerability in the generation of the DelAuth directory server (AD/LDAP) cache key was identified internally, as indicated in a statement.

This flaw, which would have been present in its service since July 23 as an error in part of a standard version of Okta, allowed a user to authenticate in different ways, such as, for example, with the stored cache key of an authentication previous successful.

Likewise, it has advanced that, to exploit the vulnerability, it was necessary for the username to be 52 characters long or more and for the two-factor authentication system (MFA) not to be applied.

Okta has also announced that this error has already been resolved by modifying the cryptographic algorithms and moving from Bcrypt to PBKDF2. Likewise, it has urged its clients to implement the multi-factor authentication system “at a minimum.”

Although it has not confirmed that the vulnerability has been exploited, it has “strongly” recommended that users register their accounts with authenticators that are “resistant” to fraud such as identity theft. For example, FIDO2 WebAuthn.