Source URL: https://www.theregister.com/2024/11/04/why_the_long_name_okta/
Source: The Register
Title: Why the long name? Okta discloses auth bypass bug affecting 52-character usernames
Feedly Summary: Mondays are for checking months of logs, apparently, if MFA’s not enabled
In potentially bad news for those with long names and/or employers with verbose domain names, Okta spotted a security hole that could have allowed crims to pass Okta AD/LDAP Delegated Authentication (DelAuth) using only a username.…
AI Summary and Description: Yes
Summary: The text discusses a significant security vulnerability identified by Okta related to the handling of long usernames in its authentication process. This flaw could allow unauthorized access under a specific set of conditions, emphasizing the importance of multi-factor authentication (MFA) and stronger hashing methodologies to enhance security.
Detailed Description:
The Okta security hole identified presents a risk primarily affecting users with long usernames, particularly those that are 52 characters or more. This flaw allows the delegation of authorization authentication using only a username under certain conditions, making it pertinent for organizational security.
Key Insights:
– **Vulnerability Discovery**: On October 30, Okta discovered a security flaw that persisted for over three months, prompting urgent scrutiny for users with long usernames.
– **Exploitation Conditions**:
– The flaw could be exploited only if the following conditions were met:
– The username was 52 characters or longer.
– A successful login attempt had been recorded, along with the cache key generated by bcrypt, which consists of hashed user identifiers.
– The AD/LDAP agent must have been down or inaccessible (e.g., due to high network traffic).
– Multi-factor authentication (MFA) must have been disabled or not implemented.
– **Countermeasures Recommended**: Okta urges organizations to:
– Implement MFA as a standard security practice.
– Use phishing-resistant authentication methods (e.g., FIDO2 WebAuthn, smart cards).
– **Technical Mitigation**: Security engineer Yan Zhu pointed out that the bcrypt algorithm’s limit on input length could lead to security holes. By passing the username and password through SHA-256 before hashing with bcrypt, the risk can be mitigated.
– **Actionable Steps**: Okta advised its customers to review logs for any authentication actions linked to long usernames dating back to July 23, highlighting the appropriateness of vigilance and monitoring.
This incident underlines the critical nature of maintaining strong security postures in identity management systems, particularly in environments where usernames can traditionally be lengthy due to convention or organization policies. The incident advises professionals in security, compliance, and infrastructure to constantly refine their authentication measures to protect against potential exploitation paths.