Okta, a prominent identity and access management (IAM) provider, experienced a security setback that contradicted its “secure by design” pledge. A vulnerability was discovered in the AD/LDAP DelAuth solution, allowing attackers to bypass password requirements and log in under specific conditions. The flaw, introduced in a July 2024 update, stemmed from a security oversight in cache key generation using the Bcrypt algorithm. The vulnerability required a combination of factors, including a long username, the absence of multi-factor authentication (MFA), and specific authentication timing. Okta quickly fixed the vulnerability and deployed a patch, but the incident highlights the challenges of achieving 100% secure by design principles across complex software systems.