Username Over 52 Characters? No Password Required, Says Okta

In what has to be one of the most bizarre security advisories of recent times, authentication provider Okta has confirmed that usernames of 52 characters or more meant that anyone could access the “protected” account without knowing the password. Yes. Seriously.

The Okta Security Advisory

Having a job that requires the reading of a lot of security advisories I will readily admit that not much shocks me any more. But the security advisory published on Nov. 01 by authentication colossus Okta did just that, and then some. The title was boring enough “Okta AD/LDAP Delegated Authentication – Username Above 52 Characters Security Advisory” but, oh boy, did the content deliver.

It wasn’t the vulnerability itself, discovered in cache key generation using a Crypt algorithm per se. It was the “specific conditions” in which this could allow “users to authenticate by only providing the username” when a cached key of a previous successful authentication session was stored that got me all wide-eyed and restless.

ForbesNew Password Hack Attack—Chrome, Facebook, Netflix, PayPal Users At RiskBy Davey Winder

“A precondition for this vulnerability is that the username must be or exceed 52 characters any time a cache key is generated for the user.”

Yep, you read that right: a username of at least 52 characters inn length would mean that no password needed to be entered in order to access the account or resource being protected by Okta authentication.

The affected product version being Okta AD/LDAP DelAuth as of July 23, 2024. Okta said that it discovered the vulnerability on Oct. 30 and was resolved the same day. “Customers meeting the preconditions should investigate their org system log for this issue between the period of July 23rd, 2024 to October 30th, 2024,” Okta said.

I have approached Okta for a statement but none was available at the time of publication.

ForbesNew Windows Warning As Hacker Breaks Google Chrome 2FA Security EncryptionBy Davey Winder

Although this is, of course, a serious issue, one should bear in mind that the number of people with usernames of 52 characters or more is going to be few to say the least. However, let’s not minimize the seriousness of the fact that such a vulnerability should be present, even for a few months, within a product from an authentication outfit such as Okta.

Most online username generators that I tried won’t even allow you to specify 52 characters for the length. It would be interesting to know how many users were actually imnpacted by this from Okta.