Okta said the vulnerability was in place since July 23 in a security advisory, over three months at the time of writing.

However, the passwordless login trick only works with usernames over 52 characters and in cases where there was a “stored cache key”—a saved digital record of a previously successful login.

Another caveat explained in a message sent to users was that the bug only worked if the organization using Okta didn’t have two-factor authentication enabled.