Auth0 - Product-led Security
2373 words, 15140 characters
Introduction
Stumble across Eugenio Pace’s page on Amazon and you’d find a mildly successful author writing technical books such as “Moving Applications to the Cloud on the Microsoft Azure™ Platform”. Google the words “Eugenio Pace” and you find that he’s the CEO of Auth0, the identity-as-a-service startup that was acquired by Okta in February 2022 to the tune of $6.5 billion. That’s a lot of book sales.
Auth0’s home page claims “basically, we make your login box awesome.”
There is a substantial amount of complexity hiding behind that simple statement. A login box encompasses a whole multitude of authentication flows. Users can sign up, log in, or reset their passwords.
Auth0’s customers cover a broad range of authentication preferences. One company might prefer the standard username-password, another might like Single Sign On (SSO, sign in with Google, Apple, or Facebook), yet some other might require Multi-Factor Authentication (MFA, login then confirm your identify). Not to mention - session management, rotating refresh tokens, bot detection, and access management.
Auth0 simplifies all of this complexity - at a cost. Enterprise companies pay anywhere from hundreds per month to millions per year.
Funding
| Round | Date | Amount | Narrative | Lead Investor |
|---|---|---|---|---|
| Seed | Sep 2014 | $2.4m | Experienced founders | Bessemer Venture Partners |
| Series A | Jun 2015 | $6.9m | Established PLG | Bessemer, K9 Ventures |
| Series B | Aug 2016 | $15m | Customer authentication | Trinity Ventures |
| Series C | Jun 2017 | $70m | International expansion | Meritech Capital Partners |
| Series D | May 2018 | $55m | New CEO, Eugenio Pace | Sapphire Ventures |
| Series E | May 2019 | $103m | International growth | Sapphire Ventures |
| Series F | July 2020 | $120m | Strategic investment | Salesforce Ventures |
| Acquisition | Mar 2021 | $6.5b | Acquired for $6.5b | Okta |
Founding Story
Auth0 starts with Eugenio Pace and Matias Woloski. Pace had spent 13 years at Microsoft as a program manager (essentially a product manager). While there, he would write a book with Woloski on authentication, “A Guide to Claims-Based Identity and Access Control”.
But they felt there was more work to be done. Authentication was notorious for being poorly implemented. In February 2013, Pace teamed up with Woloski to start Auth0, identity management that “just works”.
The first version of their product focused on a single pain point: single-sign-on (SSO). In an announcement blog post, Pace showcases the following graph:
Auth0 was far from the only company working on SSO. Okta started in 2009 by selling to companies looking for best-of-breed workforce identity software instead of large ERP contracts from Microsoft, IBM, or Oracle. By 2013, Okta was the leader in the enterprise authentication space.
Undaunted, Auth0 threw their hat into the ring, pursuing a developer-first approach. Woloski personally wrote comprehensive documentation that helped Auth0 stand out from other authentication solutions. He also recruited a founding team of engineers from Buenos Aires and started shipping. In their first year, the team built user management dashboards, a wealth of social and enterprise identity providers, and SDKs for major platforms (including Windows 8)!
Despite that, Auth0 ended the year with only 1,700 subscribers, most of them on the free development tier.
To change this, the pair brought in Jon Gelsey as CEO in January 2014. Like Pace, Gelsey had spent a long tenure at Microsoft and most recently had been the Director of Strategy and M&A. Pace stepped down from CEO to serve as VP of Customer Success.
One of Gelsey’s first moves was to hire on a team of advisors including Guillermo Rauch (Creator of socket.io and CEO of Vercel) and Tim Bray (co-author of XML). These advisors added serious credibility to the Auth0 product.
From there, Gelsey started raising Auth0’s seed round. In their meeting with VCs, they pitched themselves as “Twilio for identity.” It worked, attracting the attention of Bessemer Venture Partner, a venture capital fund with roughly $4B AUM.
In an investment memo, the Bessemer team wrote:
There are two categories of developers who would use Auth0. First, Saas vendors, such as Adaptive Insight, can use Auth0 to allow end users to login with their company-internal credentials, a social login, or a unique username and password… the 30+ social logins available through Auth0 provide a 1-click experience and enable a rich user profile. The other category of developers that Auth0 targets are enterprise app developers who build a company’s internal apps and want to quickly enable authentication in a complex identity environment. This also means that an app can authenticate partners, vendors, consultants without having to manage their usernames and passwords.
And true to Auth0’s thesis, these exact developers were paying $10k per month. In September 2014, they announced their $2.4 million seed round, led by Bessemer.
Product-Market Fit
Along with the seed funding, Auth0 also got a rare chance to be featured in USA TODAY. The team capitalized on the opportunity, with claims such as “The company’s promise is that it can help the Home Depots, JPMorgan Chases and Targets of the world avoid headline-grabbing, trust-threatening breaches.”
These bold claims were part of a larger wave of Identity Access Management (IAM) changes. Starting with Okta, a host of vendors had been focused on pairing legacy identity systems like Microsoft Active Directory with best-of-breed cloud tools such as Salesforce and Slack. IT teams utilized these SSO vendors to ensure that employees could access all their cloud tools with a single pair of credentials.
By the end of Auth0’s seed round, Okta had already reached around $30 million in ARR with a recent $75M Series E.
To fight larger competitors, Auth0 took a slightly different tack to growth.
Gelsey implemented a product-led growth (PLG) motion. In his words, “[PLG] done right is an inexpensive way to generate high-quality leads for the top of the sales funnel.”
The first step was content marketing. Rather than just English content, Auth0 would create blog posts in Japanese and German to serve International audiences. To write the blog posts, Gelsey hired Martin Gontovnikas as a Developer Advocate and the 6th employee at Auth0.
Over the coming months, Auth0’s content library would steadily move from product announcements to “How to Build Customer Trust in Your SaaS Through SOC 2”, “How to take your SaaS upmarket and grow your revenue by 20x”, and “How To Motivate Your Employees”.
The general business content was part of Gelsey’s strategy of generating search engine traffic for Auth0. In his words:
Great SEO is probably the single most important PLG metric; it means your content is useful and authentic, and that web sentiment is positive. Great SEO “automates” the “recommendation by a trusted friend” pillar of PLG, so that Google becomes the trusted friend in your prospect’s early discovery and evaluation.
The second step was minimizing the “time to WOW”. Gelsey wanted prospects to be impressed by the product as quickly as possible. Rather than wasting the goodwill generated by the content on sales meetings, Auth0 encouraged developers to implement an Auth0 login widget with a couple lines of code. This was made especially easy with the high-quality documentation that Woloski had so painstakingly perfected.
The pricing model was also optimized to reduce friction. The Auth0 team had the philosophy of “we don’t make money until you make money”. As a result, developers could access all of Auth0’s features for free and pay once usage hit certain limits.
One year after raising their seed round, their strategy had won the trust of customers like Schneider Electric, JetPrivilege, and Mindjet. In June 2015, Gelsey raised a $6.9 million Series A led once again by Bessemer and joined by K9 Ventures as well.
Growth
Shortly after Auth0’s series A, the company brought in another key executive. Gelsey’s PLG strategy only guaranteed “high-quality leads” for Auth0. He still needed someone to actually close the prospects. That was Dave Wilner’s job.
Wilner was a veteran of Redfin and Hewlett Packard and joined Auth0 as their first CRO in November 2015.
In the coming months, Wilner would close high-profile clients such as Dow Jones (US financial publishing firm), CenturyLink (US telecommunications company), and Telkomsel (Indonesian wireless network provider).
Under Wilner, the sales motion at Auth0 started to diverge from industry norms. Customers that wanted bespoke features were startled to hear “yes” from Auth0’s salesforce. Instead of building a feature from scratch, Auth0’s customer success team used “Auth0 Rules” to customize the authentication transaction. This extensibility helped overcome much of the resistance that larger organizations had when switching to a new authentication provider.
In the background, Auth0 was also reaching a new market. Rather than enterprise identity, developers were using Auth0’s social connections (Sign in with Google or Facebook) to build customer-facing user authentication.
Before, user authentication for most companies meant building their own login systems (in industry lingo, they “rolled” their own auth).
The growing trend of using third-party services like AWS and Stripe instead of buying server racks or building payment processors from scratch marked a shift for developers. Auth0 fit right in, it made sense to offload authentication to identity-as-a-service provider.
Coinciding with Auth0’s shift towards customer authentication, was a year of constant data breaches. In a 2015 end-of-year blog post, Gontovnikas wrote that organizations from “Ashley Madison, TalkTalk, Slack, LastPass, and HipChat…have all seen their services compromised this year by unauthorized data breaches or attacks.”
The post also highlighted the Starbucks hack where thieves had stolen user passwords and abused the lax security measures to siphon gift card funds. Auth0 had a solution for this: Multi-Factor Authentication (MFA) where users are required to access another linked account to authenticate. And, Auth0’s MFA product had just launched in August 2015.
Security was a key part of Auth0’s story in 2015. The team shipped features such as Breached Password Detection, Anomaly Detection security, Multifactor Authentication, and Passwordless Authentication.
In August 2016, Auth0 raised its $15 million Series B, led by Trinity Ventures. The headline quote from Jon Gelsey was:
“Identity is an asset. Unless it’s not secure – and then it can become a liability”
Expansion
Auth0 had been an international company from day one. Most of their engineering team was based in Buenos Aires, where salaries were 10-20x lower than in the US.
With an international team, Auth0 placed their sights on non-US customers. Rather than trying to overcome legacy systems, Gelsey focused on companies that hadn’t invested heavily in authentication yet. For the first few years, Auth0’s largest customer was Sancor Seguros (Argentina’s largest insurance company).
With the new capital, Auth0 rapidly expanded their international presence. They established a London office to serve the EMEA region and localized their website to the Japanese market.
Many of the new international hires went to sales and in the first half of 2017, Auth0 brought on:
- Mozilla - one of the largest open-source organizations on the web. Mozilla previously used Persona, their internal authentication service.
- Houghton Mifflin Harcourt - global learning company specializing in pre-K-12 education content and services. Auth0 also helped migrate their customers for a smooth transition.
- Polaris - powersports company that manufactures ATVs, side-by-sides, motorcycles, snow machines, and more. Auth0 serviced their B2E, B2B, and B2C authentication portals.
- Nando’s - Portuguese chicken restaurant chain. Nando’s replaced their internal B2E authentication, showcasing Auth0’s roots in the B2E authentication market.
- Bluetooth Special Interest Group - standards-based organization overseeing the development and licensing of Bluetooth technologies. Jeremy Syme, Director of Systems Engineering, quotes, “…it was important for Bluetooth SIG to implement a standards-based identity solution for our platform.”
The string of high-profile wins cumulated in a $30 million Series C in June 2017. The round was led by Meritech Capital Partners. Their international efforts also attracted funding from NTT DOCOMO Ventures (Japan’s largest mobile carrier) and Telstra Ventures (the venture capital arm of Australia’s largest mobile carrier).
Auth0 experienced a sudden shift in leadership in 2017 as well. That December, Auth0 put out a press release that Eugenio Pace would replace Jon Gelsey as CEO. The verbiage, “effective immediately”, and the fact that Gelsey did not retain his board seat indicate the split was not amicable.
Despite the shakeup, Auth0’s progress never slowed. They went on to raise:
- $55 million Series D, led by Sapphire Ventures in May 2018
- $103 million Series E, led by Sapphire Ventures in May 2019
- $120 million Series F, led by Salesforce Ventures in July 2020
The rush of capital was followed by an acquisition offer from Auth0 for $6.5 billion. The acquisition had been a long time in the making.
Todd McKinnon, Okta’s CEO, had first emailed Eugenio Pace in July 2013, five months after Auth0 started. Over the years, McKinnon made multiple passes at Auth0, even after acquiring Stormpath, a close competitor of Auth0.
Finally, with the pandemic doubling Okta’s market capitalization to a high of $45 billion, McKinnon could make the Auth0 team an offer which was impossible to turn down. The $6.5 billion purchase price was a 3.4x premium on Auth0’s Series F valuation.
After a long negotiation period, Okta finally announced the acquisition in March 2021, and it was finalized in May 2021.
Conclusion
Since Okta’s acquisition of Auth0, the stock market have battered both companies. From its previous $45 billion market cap high, Okta currently trades at $12 billion today (February 2023).
At acquisition, the synergies of the two companies were quite clear: Okta was number one in the B2E workforce identity market while Auth0 was the leader in the B2B and B2C authentication.
Unfortunately, the cultures of the two distinct companies didn’t mix. Auth0’s bottoms-up developer-first approach contrasted heavily with Okta’s sales-led-growth motion. Okta saw heavy attrition in their sales force after the acquisition, including the departure of their CRO, Steve Rowland, and CMO, Kendall Collins. [0] In McKinnon’s words:
This integration has proven harder than we thought. The biggest issue was that it wasn’t clear enough how the Okta sales people should sell Auth0.
Despite all this, Okta’s core workforce identity and Auth0’s user authentication products are still leaders in their respective markets and McKinnon has become more upbeat on recent earnings calls.
Today, dozens of startups are vying for a piece of the authentication market. While Auth0 and Okta’s products have led them to the top of the market, it’s unclear what the future holds for the now-combined companies.
[0] Steve Rowland went over to Drata - which we profiled in another piece.