/plushcap/analysis/authentik-security/authentik-security-2024-11-02-seriously-okta-you-call-that-passwordless

Long username? Okta says: no password needed!

What's this blog post about?

Okta has recently released a security advisory stating that accounts with usernames longer than 52 characters could authenticate without requiring a password under certain conditions. This issue is due to the use of Bcrypt, a password hashing algorithm, in generating cache keys by combining a user ID, username, and password into one string. This unconventional usage of Bcrypt raises concerns about Okta's security design priorities. The vulnerability was introduced as part of a standard Okta release in July 2024, despite the company's commitment to becoming one of the most secure companies in the world. This highlights the importance of open source and transparent solutions like authentik for identity providers.

Company
Authentik Security

Date published
Nov. 2, 2024

Author(s)
Fletcher Heisler

Word count
800

Language
English

Hacker News points
None found.


By Matt Makai. 2021-2024.