Okta launched a cloud identity product back in 2009 when most people were locked into Microsoft Active Directory, an on-prem incumbent so entrenched that nobody believed that anyone could touch it. It took a little audacity to go after a giant like that, but Okta took a cloud-first approach, a markedly different strategy from Active Directory at the time.
The company raised over $230 million before going public in 2017. It reached unicorn status with a $75 million raise on a $1.2 billion valuation back in 2015 when the designation meant a little more than it does these days.
With ownership of the workforce side of the market, Okta decided to make another bold move when it acquired Auth0 for $6.5 billion during the stock market bubble that accelerated in 2020. The idea behind the deal was not simply to own an identity tool favored by developers — although that was certainly a big part of it — it was really about owning another large piece of the market, one that could make Okta a one-stop identity shop.
“There’s a very deep divide between legacy and modern in this market.” Okta CEO Todd McKinnon
Okta wanted to own both the workforce market, the core of its approach to that point, as well as the customer identity market where Auth0 lived. And Okta made a substantial bet for a company of its size to make that happen.
Okta isn’t alone in the identity space; competitors include companies large and small like ForgeRock, SAP, IBM, Ping Identity, Salesforce, Microsoft and Akamai, among others.
Like every other SaaS company out there, Okta has had a rough year in the public markets, down over 80% in the past year (although it was up almost 10% in midday trading Thursday). It also had to deal with an attack spearheaded by the group Lapsus$ that happened in January but was reported in March — and the fallout from its response.
Despite these headwinds, the company has big long-term goals to own the cloud identity market and believes it can ride out the current temporary macroeconomic conditions and the legacy vendors to get there.
We sat down with CEO and co-founder Todd McKinnon recently and asked him about how he is navigating these times — and the lessons he’s learned along the way.
Growing Auth0
McKinnon emphasized that he spent 14% of his stock value at the time to acquire Auth0, a number he knows off the top of his head, because he wants his company to own the cloud identity market, and he doesn’t think he could do it without Auth0.
“We bought them to change, and we bought them because we needed change to win this customer identity market,” he told TechCrunch. “Our strategy is that we have to win both the workforce market and the customer identity market. And the only way we’re going to turn identity into one of these most important platforms for every company is we have to [own] both use cases.”
He said integrating two companies like this didn’t come without challenges, and he may have moved too quickly to bring the products together.
“We haven’t done this perfectly, and we have to be smart about how fast we integrate, and what we integrate. Auth0 had a really good year last year. They beat all their numbers, but in the fourth quarter, they beat that number by like 50%, and we saw that momentum and decided to integrate the sales teams,” he said.
In retrospect, he believes it might have been better to wait six more months to ensure that all that success they were seeing was translatable into a bigger sales team.
“It’s [one thing to recognize] you have to change, but maybe we were being overly zealous by thinking [faster] integration would help us change [more quickly], but then what we’re learning is that sometimes change just takes time to make that happen,” he said.
What he means is a larger sales team requires more leads, and it takes time to build up that lead-generation engine. Integrating two organizations isn’t easy, and how and when you make certain moves isn’t a perfect science. McKinnon seems to recognize that as he incorporates Auth0 more deeply into Okta.
SaaS stock hit and impact on Okta
In spite of the combination of workforce and customer identity that McKinnon is trying to drive home, the stock market has not been kind to Okta (or really any SaaS company) this year. But he is prepared to ride the vagaries of the down market.
(In its most recently reported quarter, the second of its fiscal 2023, Okta posted $452 million worth of revenue, up 43% year over year. Its net loss fell over the same time frame, and although its operations consumed cash in the period, it remains incredibly well capitalized.)
McKinnon recognizes it for what it is — a change in what investors think is important in the face of rising interest rates and inflation. He doesn’t think the economy overall is as big a factor as the return to profitability over growth.
“The way I describe it is that the bubble is over, and what I mean by that is, I mean, free money is over. So investors are going to want cash flow for their investment. They’re not going to want growth stocks that have no cash flow,” he said.
While McKinnon is admittedly frustrated by Wall Street’s reaction to his company, he understands that it’s up to him to explain the strategy and the value proposition so that investors can understand.
“There are hundreds and hundreds of tech companies and we get on these calls with them. And it’s like, they ask the most basic questions about Okta, and at first I’m insulted, like how can you not know Okta, then I remember that they have so many companies to look at, and so many can look alike, but it’s my job to differentiate what we’re trying to do.”
Lapsus$ hack lessons
Okta’s reputation took a hit in the aftermath of the Lapsus$ cyberattack that surfaced in March. As TechCrunch’s security editor Zack Whittaker reported at the time:
The authentication giant admitted the compromise after the Lapsus$ hacking and extortion group posted screenshots of Okta’s apps and systems on Monday, some two months after the hackers first gained access to its network.
It turned out the breach occurred via a third-party customer support company, Sitel, which had access to the Okta network, access that was exploited by hackers, Whittaker reported. Lapsus$ was able to take screenshots from a Sitel employee’s laptop, which it later posted online.
The hackers also attempted to access the Okta network before hitting Okta’s security, McKinnon said. He recognized that the company made several mistakes and said in retrospect that it should have done things differently.
“The first big learning is that we can’t allow a third-party contractor to access Okta from a laptop that was not secure.
“In effect, this was like an employee, who happened to be a contractor. We can’t allow them [to access our network] from insecure devices. So within a week, every contractor had Okta, hardware that was managed, secured and locked down,“ he said.
When Okta security recognized that someone had attempted to access the network, they should have dug deeper, McKinnon said.
“Our security operations team knew that there was this attempted account takeover, and they didn’t dig in enough and didn’t do enough research to fully understand what was happening. They kind of dismissed it as, ‘Oh, it was a failed account takeover attempt, we blocked it, nothing else to see here.’
“Instead, they should have dug into it and said, ‘Wait a minute, the whole Sitel network was compromised. What else could they have done? What screenshots could they have taken? Who are their customers? Could they get access to that?’ and we didn’t do that follow-up,” he said.
Finally, he said he should have communicated better with customers and the press in the aftermath of the screenshot release on Twitter.
“So one of the other big learnings was that we need a way to communicate in real time with customers, with people that are managing risk in that first 12 hours. Because the public communication is very much ‘we’re investigating.’ But with our customers and with these key people that are trying to make these risk decisions, we need a way to actually tell them more than that.”
He admitted that kind of open communication isn’t easy to do in the heat of the moment when they are trying to figure out what happened. As he noted, “we’re investigating” is open to a lot of interpretation, and it’s up to them to provide more information with more nuance, and it’s not easy to make those subtle distinctions publicly in the middle of a crisis.
Owning the future
In spite of all the challenges Okta has faced this year, some of its own making, McKinnon believes it represents the future of identity in the cloud, and competing companies in this space are legacy with roots on-prem.
“There’s a very deep divide between legacy and modern in this market. So modern is all startups all going after DevOps, and going after workloads that are in the cloud and privileged accounts that are ephemeral [like Kubernetes], and they get spun up and spun down [and so forth],” he said.
As Okta looks to expand, he can see buying some cloud startups in this space. He pointed out that Okta is the only serious identity company born in the cloud,
“We’ve talked about customer identity and workforce identity and being on a converged platform of privileged access and identity governance. And the biggest differentiator about us is, we’re a cloud SaaS service built from the ground up like Salesforce — I mean that’s where I used to work. Same with Auth0, SaaS service.
“We’re the future. Those other companies, they’re all [legacy] software companies.”