Okta is the leading independent provider of identity services. While their roots have been in controlling employee access to enterprise applications, Okta has recently doubled their TAM by providing identity management for consumer apps. Almost every modern digital application requires its users to verify their identity. Facilitating this process has become a necessary software building block. Okta supports this capability with a suite of robust platform services, which developers can consume through well-documented APIs. Okta’s packaged software products are built on top of these platform services, driving a continuous feedback loop. Okta’s product offerings target an enormous addressable market, the combination of both workforce and customer identity. Strong secular trends in enterprise employee mobility, cloud migration and digital transformation are driving this market and Okta occupies the pole position. The company is led by two co-founders with deep SaaS domain experience. To help investors better understand the opportunity, I will dig into Okta’s technology underpinnings, financials, product portfolio, addressable market and competitive landscape. This will provide an investment framework which investors can use to monitor Okta’s progress going forward.
History and Technology Foundation
Okta addresses a problem space called Identity and Access Management (IAM). IAM provides a security service that ensures that the correct individual has access to the expected resources at the designated point in time. IAM consists of two main functions – authentication and authorization. Authentication establishes identity. It is the process of proving who you are on digital channels. This was traditionally done through username and password entry, but has necessarily evolved to more sophisticated methods, like device fingerprinting, multi-factor authentication, certificates and even biometrics. Humans generally do poorly with passwords – making them easy to guess or cumbersome to track. Tying a person’s identity to something they physically possess tends to work more reliably.
Authorization, on the other hand, determines what resources you are allowed to access. Resources in this context can be whole applications, certain features, file directories or individual pieces of digital content. For example, if you authenticate as a member of an employee group and that group has access to a file folder, then authorization would grant you access to the files in that folder.
Initially, IAM services were confined to corporate networks, as a means to control employee access to enterprise business applications. These represented the large software packages on the intranet, like systems to manage HR, sales leads, resource planning, financials, file sharing, email and collaboration. This type of corporate environment was standard through the 1990’s and into the early 2000’s. However, as the internet really started going mainstream after 2005, SaaS replacements began proliferating for these on-premise software packages. Salesforce was the first well known example. Companies soon needed the same set of access controls that they had for their on-premise applications, but applied to the cloud. The legacy identity and access management systems couldn’t easily evolve to handle the new paradigm of cloud-based SaaS. This gap created a new opportunity for nimble identity companies.
After 2010, the pace of cloud migration picked up, making the need for enterprise identity solutions more acute. At the same time, enterprises were building mobile apps and new digital customer experiences. These also required a reliable and secure method of controlling access to these experiences for their customers. Username / password approaches worked for a while, but soon the fallout from compromised user accounts required more sophisticated solutions. Enterprises found they couldn’t blame the customer for using a simple password. They needed to intelligently increase the security barrier without creating additional friction. This gave rise to new companies that specialized in cloud-based identity management, using complex authentication and fraud detection methods that went far beyond anything that most enterprises could do themselves.
Okta was founded in 2009, by two ex-Salesforce leaders. As Salesforce was cutting new ground for SaaS offerings, these two saw the need for an independent service to manage user identity and access controls across all SaaS applications that an enterprise might procure for its workforce. Okta stepped into this market at the perfect time. Over the years, they executed strategically to become the leading independent provider of identity services. I will dig into the products they built in a bit, but first let’s take a brief look at Okta’s financials.
Financial Overview
OKTA went public on April 28, 2017. The stock closed at $26.05 that day. Over the last two years, OKTA has gained meaningfully reaching a recent ATH price of $151.94. Like many software stack companies, the stock lagged in the second half of 2019, surged in early 2020 and then dropped again in Feb-Mar 2020, due to concerns around COVID-19. After Okta’s Investor Day on April 1st, the stock resumed its upward climb. Investors were happy to see minimal projected impact from COVID-19 (for now) and are betting that Okta will capitalize on the enterprise trends (work from home, digital transformation, security) being accelerated by social distancing.
OKTA has a current enterprise value of $17.9B. Its trailing EV/Revenue is 30.1. As we look at financials and more importantly, product offerings and addressable market, we will get a better sense for the long term opportunity for an investment in OKTA.
Q4 and FY2020 Earnings Results
On March 5, 2020, Okta released earnings results for Q4 and full year FY2020 (roughly calendar year 2019). Q4 results exceeded expectations on both earnings and revenue. Q1 and FY2021 projections surpassed estimates for revenue, but were lower on earnings estimates. On the analyst call, the Okta leadership team explained that FY2021 would continue to be an investment year in order to capitalize on the large opportunity. The next day, the stock closed down 2.4%, after initially spiking up. During this time, the market in general was experiencing significant volatility due to COVID-19.
Here are some highlights from the earnings release (EPS is Non-GAAP):
- Q4 FY20 Revenue grew 44.9% year/year to $167.3M, versus the analyst estimate of $155.8M. The original estimate would have represented annual growth of 34.9%, so Okta outperformed by about 10% on an annualized basis. Q3 FY20 revenue growth was 45.0%. Nice to see consistent performance sequentially.
- Q4 FY20 EPS of ($0.01), which beat the analyst estimate of ($0.05) by $0.04.
- Q4 Non-GAAP operating loss was $5.6M, yielding an operating margin of -3.3%. This compares to a loss of $4.9M, or 4.3% of total revenue, in Q4 FY 2019.
- Q4 FCF was $18.1M, yielding a FCF margin of 10.8%. This compares to $4.8M, or 4.1% of revenue, in Q4 FY 2019.
- FY20 Revenue was $586.1M, an increase of 47% year/year. FY19 Revenue growth was 55.6% year/year. Original revenue guidance issued in March 2019 for FY20 was $532.5M at the midpoint, which would have represented growth of 33.4%. Beat and raise quarters through FY20 drove almost 14% of upside.
- FY20 net loss was $36.7M, compared to $34.1M for FY 2019. Non-GAAP EPS was ($0.31), compared to ($0.32) for FY19.
- FY20 operating loss was $48.5M, yielding an operating margin of -8.3%. This compares to a loss of $41.5M, or operating margin of -10.4% in FY19.
- FY20 FCF was $36.3M, or 6.2% of total revenue. This compares to negative FCF of $6.8M million, or 1.7% of total revenue for FY19.
- Q1 FY21 Revenue guidance of $171-173M versus $166.2M consensus. At the midpoint, this would represent year/year growth of 37.1% at the midpoint.
- Q1 FY21 EPS guidance of $(0.24) to $(0.23) versus $(0.14) estimated.
- Q1 FY21 operating loss of $33.2M to $32.2M, representing an operating margin of -19.0% at the midpoint.
- FY21 Revenue guidance of $770-780M versus $760.8M consensus. This represents year/year growth of 32.2% at the midpoint.
- FY21 EPS guidance of $(0.42) to $(0.37) versus $(0.28) consensus.
- FY21 operating loss of $65M to $57M, representing an operating margin of -7.9% at the midpoint.
- International revenue in Q4 grew 52% year/year, faster than overall Q4 revenue growth of 45%. International revenue makes up 16% of total revenue, so this is a big opportunity.
- Q4 gross margin was 78%, compared to 76% in the prior year. FY20 gross margin was 77%, compared to 75% in the prior year.
- Q4 Total RPO was $1.21B, an increase of 66% year/year. Current RPO (subscription revenue expected over next 12 months) was $592.3M, up 54% year/year.
- Q4 total calculated billings were $225M, an increase of 42% year/year.
- DBNER was 119% for Q4, up 2% from Q3. This is roughly in line with the range of 117-120% over the last 4 quarters.
- Total customers at the end of Q4 FY20 was 7,950, up 30% compared to Q4 FY19.
- Customers with ACV greater than $100K at end of Q4 FY20 was 1,467, up 41% compared to FY19.
- Cash, cash equivalents, and short-term investments were $1.40B at end of FY20.
At their Investor Day event on April 1, 2020, Okta leadership updated their FY21 guidance, based on potential impact from COVID-19. They maintained revenue estimates and raised their profitability guidance. Profitability improved due to lowered expenses around travel and other savings. This news was well received by the market, and explains much of the stock’s growth of about 25% in April.
On a Rule of 40 basis, Okta is performing well. For the most recent quarter, Okta had 44.9% revenue growth + 10.8% FCF margin = 55.7. This value has been fairly consistent in the 50-55 range for the past year.
Given a current enterprise value of about $17.9B, OKTA would have a forward EV/Revenue ratio of about 23.1 at the midpoint of current FY21 revenue estimate of $775M. If we assume outperformance of $25M (half of FY20 outperformance), that would give revenue of $800M and a forward EV/Revenue ratio of 22.4. This is on the higher side, but not totally out of line with peer software companies growing at this rate.
Analyst Coverage
For analyst recommendations made since the last quarterly earnings report on March 5th, Okta has 9 Buy and 4 Neutral equivalent ratings. The average price target is $144.38. Okta is currently trading for about $150.
Table of updates
Date | Analyst | Rating | Price Target |
4/12 | BMO | Outperform | Raised from $150 to $155 |
4/2 | JP Morgan | Overweight | Raised from $151 to $154 |
4/2 | Canaccord | Hold | Lowered from $125 to $120 |
4/2 | DA Davidson | Buy | Raised from $110 to $140 |
4/2 | Oppenheimer | Outperform | Lowered from $140 to $120 |
4/2 | Mizuho | Neutral | Lowered from $145 to $140 |
4/2 | Robert Baird | Hold | Raised from $135 to $140 |
3/27 | BTIG | Buy | $144 |
3/25 | Morgan Stanley | Equal Weight | Lowered from $140 to $137 |
3/6 | Piper Sandler | Buy | Raised from $140 to $145 |
3/6 | SunTrust | Buy | Raised from $134 to $162 |
3/6 | Citigroup | Buy | Raised from $150 to $162 |
3/6 | Goldman Sachs | Buy | Raised from $144 to $158 |
Of the analyst commentary, here is a sampling of two positive ratings, one of them after the Investor Day and the other following Q4 earnings.
BMO Capital analyst Keith Bachman upgraded Okta to Outperform from Market Perform with a price target of $155, up from $150. The analyst believes that global secular trends for WFH will serve to increase demand for Okta’s solutions. While the economic challenges could create some deal slippage in the next few quarters, he nevertheless thinks the fundamentals remain very strong for the next few years. Bachman believes Okta’s solution leadership will help drive greater than 30% growth through fiscal year 2022.
TheFly, April 12, 2020
Goldman Sachs analyst Heather Bellini raised the firm’s price target on Okta to $158 from $144 and keeps a Buy rating on the shares. Following last night’s “strong” Q4 results, the analyst remains positive on Okta’s positioning in the identity and access management market. The space continues to benefit from the intersection between increased focus on enterprise security and digital transformations, Bellini tells investors in a research note. Management noted that the overall demand environment remains robust with no current impact from COVID-19, the analyst points out.
thefly, march 6, 2020
And here is some commentary from Mizuho following Investor Day, which acknowledges encouraging growth signals, but reflects concerns around valuation.
Mizuho analyst Gregg Moskowitz lowered the firm’s price target on Okta to $140 from $145 and keeps a Neutral rating on the shares. The company yesterday was confident in affirming Q1 and fiscal 2021 revenue guidance, although it acknowledged near-term billings will likely be negatively impacted from COVID-19, Moskowitz tells investors in a research note. These are encouraging signs in a time of much uncertainty, and Okta is well positioned for “strong growth,” adds the analyst. However, Moskowitz continues to view Okta’s valuation as “fairly rich.”
thefly, April 2, 2020
Product Overview
At their Oktane Live conference in early April, Okta announced Okta Platform Services, which consists of six core identity technologies available through APIs and SDKs. These are meant to be consumed by developers to build new identity based applications and customer experiences, either as part of a stand-alone company or an enterprise’s digital transformation strategy.
Okta Platform Services are foundational components of the Okta Identity Cloud that power Okta products and features. These Platform Services enable anyone who uses Okta to leverage Okta’s underlying technologies in a range of ways, empowering our customers, our partners, and Okta engineers to rapidly innovate as identity evolves.
Okta Blog Post
Okta’s product offerings are built on top of these platform services. This provides several benefits to any platform provider, as I discussed in a prior post on platform plays. First, separating the services from the front-end applications is an architectural best practice, as it allows the software engineering organization to operate more efficiently. As an engineering organization grows and has to support multiple products from a single code base, it becomes increasingly difficult to coordinate major changes and minimize code conflicts. Bugs and performance bottlenecks are frequently introduced as multiple developers work on shared code in parallel. In order to mitigate these issues, software teams split up the code base into microservices. Beyond separating code, this generates other productivity gains, like allowing a streamlined CI/CD pipeline, test automation and clearly documented interfaces. Also, the engineering organization can be structured into agile teams around the core services.
Second, internal development teams may be more forgiving of functional oversights in APIs and less rigorous in vetting edge cases. Exposing these services to the development community, though, will generate an order of magnitude more visibility and feedback around the quality and completeness of the services.
Finally, by sharing these services with outside developers, the product team at Okta gets to observe what they produce. This can provide insight into future product opportunities for Okta. If they notice many developers using Okta Platform Services to solve a particular problem in a custom way, they may decide to build a packaged product around a particular problem set. This provides confidence that the product offering will have a market and drives a continuous product improvement cycle.
Authentication and authorization functionality is core to any application that requires user access. Being able to “plug-in” a sophisticated identity service that addresses all edge cases will be a very powerful tool for both developers within enterprises and independents working on a new idea. DIY approaches to application identity management are no longer feasible for most engineering teams, as requirements for adequate security have gone far beyond popping up simple user registration and login widgets and storing passwords in a hash. This change will drive large numbers of development teams towards Okta, as they upgrade identity frameworks in existing customer applications or pull identity off-the-shelf to start a new one.
Okta’s platform services provide a holistic toolbox for identity management. Each of the six platform services focuses on a different aspect of identity. This allows developers to assemble the best combination of services for their needs.
Identity Engine
The Identity Engine is the foundation of identity services. It delivers a set of customizable building blocks to develop identity features. By providing developers with control over the discrete functional steps in user access flows, they aren’t constrained to pre-defined registration and login processes dictated by other solutions. These flows have been decomposed into programmable objects, allowing developers to address any use case associated with identity.
Each step can be customized with the use of Components, which can evaluate policies, trigger Hooks, publish events, prompt the user for action, or direct to an external service. Hooks are a relatively new addition to the Okta toolset and allow the developer to add code to either customize the default logic in a step or notify an external system based on a particular event trigger. Hooks provide programmability to the identity process.
- Identify. Validates the identity of the user. This can be as light as an email magic link (passwordless – just click on the magic link to login) or more involved like SMS send, temporary code on local app, device verification or biometric.
- Authorize. This step retrieves a list of what resources the user can access.
- Enroll. For new user registrations, the enroll step can trigger actions in external systems, like generating a welcome email.
- Issue. Provides a token or other unique key indicating the user has completed all steps and is ready to engage with the application.
Okta provides an example use of the Identity Engine with their customer Albertsons, which is national grocer representing 19 brands, including Safeway, Randalls, Tom Thumb and Albertsons. Albertsons previously had separate identity systems across different brands and even between store and online applications. This resulted in customers having to maintain separate username/password accounts across all these identity systems. The identity systems were built in-house, requiring development resources to maintain and extend them. By moving to the Okta Identity Engine, they were able to consolidate customer accounts into one system and take advantage of advanced features like password reset and device fingerprinting. This freed up developer resources to focus on e-commerce initiatives, like online grocery ordering and delivery.
Devices
Okta Devices extends identity management to the device level. A device can be any piece of hardware, but generally refers to devices used by end users to access an application. The holy grail of device level identity management is to enable passwordless access. If a user has access to a physical device, and that device is secure, then the user’s authentication through the identity system can be streamlined. The benefit of eliminating passwords goes beyond simplicity for the user – it also improves security posture as weak passwords continue to be a source of data breaches.
Okta achieves this device level validation a couple of ways. First, they create user to device bindings. Whenever a user presents a new device to an Okta powered identity service, the device can be fingerprinted, which records unique hardware, OS and software version attributes. These are stored in the Okta Universal Directory with an association to that user account. If the company utilizes a third-party Enterprise Mobility Management system (EMM), like MobileIron or VMWare, the device registration from that system can be utilized.
The second layer of device identification involves installation of the Okta Verify app. This app is available for multiple operating systems and devices – Windows, Mac, Android/Chrome, etc. With the Verify app installed on a device, it can synch with the device’s own user authentication system (PIN, password, biometric) and leverage that to verify the user’s identity. This identity is then synched with the Okta Universal Directory. With the installation of Okta Verify, users can take advantage of Okta’s new FastPass feature, which enables passwordless authentication through the Okta network.
Finally, if the company utilizes a third party endpoint security, detection and response system (EDR), like Crowdstrike or Carbon Black, then policies can be set up to disable access when a user’s device contains malware or disabled security features.
Directories
Okta Directories provides much of the foundation for Okta’s Universal Directory product. Fundamentally, these address two functions:
- Provides storage for all user data. This includes primary identifying data (name, email, account, etc.), credentials and other metadata (service subscriptions, preferences, etc.).
- Exposes controls for Admins to create, modify and delete users, as well as manage data exchange rules with other identity providers.
These functions are all accessible programmatically, through robust APIs. Okta provides an expression language, which allows the developer to transform and combine user attributes before they are stored in Directories. For example, first and last name could be combined into one field of name, if necessary. Finally, inline hooks provide the ability to trigger custom logic as part of the authentication flow to facilitate integration with other systems.
Because many enterprises have a legacy onsite identity provider service in place, like Active Directory or LDAP, Okta Directories provides tools to integrate with these outside systems. The Okta Identity Cloud becomes the single point of entry for all users (whether legacy or new) to enable access to all resources (whether cloud-based or on-prem).
Utilizing Okta Directories has other benefits for enterprises. These include centralizing all user data in one place (lowers maintenance cost, risk of errors, troubleshooting user access issues) and allowing for application of user policies efficiently across groups.
Workflows
Whenever an enterprise adds or removes a user (employee, contractor, customer), there are often a number of follow-on tasks that are performed manually. For a new customer account, the follow-on tasks could be to create a record in Salesforce, send a Slack message to the Sales team or generate a welcome email to the new customer. If an employee is terminated, the inactivation of the user account could trigger a number of “deprovisioning” steps, like revoking access to many SaaS apps (shared Box folders, G Suite account, dev tools, etc.).
This sequence of actions is called a Workflow in Okta. Users can create workflows in two ways – either through an intuitive (no code) drag and drop interface or programmatically through APIs. All available account data from the Directories service is available in discrete fields. The user can also apply conditional checks or logic to certain tasks, like only adding access to DevOps tools if the user is a member of the engineering user group.
This sophisticated workflow capability provides the following benefits to users:
- Saves time by automating the list of manual provisioning tasks that often follow new account creation.
- Applies security controls to the deprovisioning of user account (employee termination) by ensuring that the exhaustive list of SaaS accounts associated with that user are disabled.
- Generates cost savings by removing paid licenses for a deprovisioned user. Many SaaS productivity tools (dev tools, project management, Slack, etc.) are charged on a per account basis. When old employee accounts are forgotten, this continues accruing costs.
Integrations
Okta Integrations provides the tools needed to facilitate a wide variety of connections with third-party applications. These integrations cover a broad array of use cases and involve both inbound and outbound data exchange. All integrations are based on open standards (not proprietary to Okta), like OIDC, SAML, SCIM and RESTful APIs. This allows developers at other application providers to quickly understand how to build and maintain an integration. Developers can add custom logic to integrations through programmable Components and Okta Hooks.
Integrations take a few forms:
- Single Sign On (SSO): These are lightweight integrations to authenticate users to their cloud-based web applications and mobile apps. In these cases, the user is authenticated over SAML and OIDC, and then passed into the application. Okta has 6,500 of these.
- Data Integrations: These allow transmission or exchange of data with other third-party services, like security monitoring. They leverage programmatic APIs and Okta Hooks. There are 1,300 of these.
- User Provisioning: In this case, the integration is with another system that controls user account creation and deletion, like an HR systems. Okta has 130 of these.
Some examples of different types of integrations:
- Applications: Box, Zoom, Slack, Salesforce, Office 365
- HR Systems: Workday, Ultimate Software, Successfactors
- Network Security: Palo Alto, Zscaler, Cisco, Check Point, Fortinet
- Security Analytics: Rapid7, Splunk, Sumo Logic, IBM Radar
- API Gateway: Apigee, AWS, GCP, Kong
- IaaS: AWS, GCP
- Privileged Access Mngt: Cyberark, BeyondTrust
- Endpoint Management: MobileIron, VMWare, IBM
This broad set of third-party integrations is critical to the success of Okta.
- It ensures that the platform is extensible to as many use cases as possible. If a major application doesn’t have an integration, that might be a customer adoption limiter.
- By being all-inclusive, this establishes Okta as a neutral, independent provider. The cloud vendors have IAM services, and Microsoft offers a stand-alone Active Directory solution. Okta is positioning themselves as cloud-neutral. By choosing Okta, customers can avoid lock-in with a particular cloud vendor, which seems to be a common consideration for large enterprise CIOs/CTOs to maintain optionality.
- Okta realizes network effects from all these integrations. They can observe customer activity to improve their services or launch new ones. Additionally, activity data across so many users/devices/integrations can be mined to improve security posture and user access features.
Insights
Okta Insights collects data from from all Okta user activity and surfaces nefarious behavior. This information can be leveraged to block identity attacks. Hackers are constantly probing an enterprise’s user authentication entry points, trying to apply stolen credentials. Insights watches for this type of behavior and flags suspicious activity. An example would be an established user logging in from a new device and then trying to reset their password.
Insights is applied to three different services:
- ThreatInsight actively collects and monitors user activity across the Okta network to identify malicious activity. When found, it actively block login attempts by that user.
- HealthInsight applies best practices to an organization’s Okta configuration and provides recommendations to improve security posture. This could range from password policies to levels of authentication for high value assets.
- UserInsight prompts actual Okta users to review and report activity that appears suspicious. For example, if a malicious user tried to login from a new location, UserInsight could notify the actual user and ask them to confirm the login attempt.
Products
Okta leverages the Platform Services that we just reviewed to build their product offerings. As discussed previously, this provides a number of benefits for the quality and completeness of the platform, as well as harnessing feedback from the developer ecosystem. Okta has divided their product line into two major segments – Workforce Identity and Customer Identity. Okta started life focusing on Workforce Identity with their Single Sign-on product. This product was targeted at the employees of enterprises. Over time, Okta was asked by these enterprises if the same identity management capabilities could be applied to managing identity for their customers. This spawned the product offerings for Customer Identity, which leverage many of the features built for Workforce Identity and the underlying Platform Services.
Workforce Identity
Workforce Identity is targeted at protecting user access within the enterprise for its employees, contractors and partners. With a SaaS tool for everything these days, enterprises must have a central system to manage access. This provides ease of use by eliminating individual passwords and maximizes control by efficiently disabling user access to many applications when necessary.
Before solutions like Okta, managing access to these shared SaaS applications was unwieldy at best and highly insecure at worst. I remember work-arounds like creating generic accounts for everyone on a team to share. If an employee was terminated, we would have to change all the shared account passwords and redistribute them. The alternate was to have each employee create their own account, but then they had to manage many individual account credentials (often kept in unencrypted files on their laptop).
Workforce Identity products provide enterprise IT managers with the tools to return sanity to account management and ensure security best practices are maintained. Let’s take a look at each Workforce Identity product.
Single Sign-on (SSO)
SSO was Okta’s first product and hit the market at an opportune time. It provides employees, contractors and partners access to authorized applications through an intuitive and customizable tool that runs on a desktop or mobile device. As discussed above, this was a godsend for busy IT managers who were scrambling to get control of the SaaS tool sprawl that exploded onto the scene after 2010 and accelerated in the following years. In parallel, many data breaches were being publicized, often considered the result of compromised user credentials. These two factors created a perfect market opportunity to drive growth for SSO solution providers, like Okta and their competitors. Fast forward to today, it is virtually impossible now to safely manage user access to all these apps for an enterprise without relying on an IAM solution.
Okta has built integrations with thousands of the most popular cloud applications and infrastructure services. SSO supports several methods of authentication, including Web Authentication, SAML 2.0 and OpenID Connect. The policy engine for admins is flexible and supports conditional logic. For example, an admin could specify that access to a certain app requires multi-factor authentication if the user is on an IP range outside of the office.
Okta also provides a browser plug-in that makes it easy to log into an app directly from an open browser. It can detect that an Okta login is available for a currently viewed web app. The UI for the login page can be customized to reflect the enterprise’s brand. Integration with AD/LDAP systems is available as well for those enterprises with some legacy, on-prem applications. Using the new Okta Verify app, customers can enable FastPass functionality, which eliminates passwords.
For the security team, SSO generates a real-time system log of all activity, with geolocation tracking. For user activity, the system records location, device context and network data. SSO log data can be reviewed manually or in pre-built summary reports. Also, the entire log can be periodically shipped to a SIEM tool, like Rapid7, for detailed examination.
Universal Directory
We discussed the Universal Directory product previously when examining the Directories service. Universal Directory allows IT managers to store all user accounts and their associated attributes. These can be tied to other identity providers, like Active Directory or an HR system. All of this data can be manipulated through an admin interface or programmatically through an API. Users can be organized into groups, with access determined at a group level. For other apps that manage their own user directory information, like Google Suite, the admin can manage a mapping of the metadata to be exchanged at a field level.
One powerful aspect of Universal Directory is its ability to serve as a “meta-directory”. By integrating with other systems that manage user directory information, the Okta Universal Directory becomes the source of truth for all of these systems and facilitates synchronization between them. Imagine the benefit for IT personnel that have to manage user accounts across multiple cloud and legacy systems.
Okta has made a real effort to extend their capabilities to work with legacy identity providers and other systems of record for identity. This has increased appeal for mainstream enterprises, who have these legacy systems and can’t easily sunset them. Oftentimes, an enterprise will just keep older systems alive for long periods, rather than incurring the cost to fully shut them off. By integrating with these legacy systems and other identity providers, Okta positions itself to be the centralized identity store.
Another benefit of being a meta-directory is that Okta can facilitate password reset across all systems in one workflow. Traditionally, if a user forgot their password or got locked out of their account, it would require a call/ticket to the IT help desk team. Okta offers a self-service flow for password reset, that spans all systems and still maintains appropriate (one might argue better) security controls.
Advanced Server Access (ASA)
ASA is a relatively new, but powerful addition to the Okta product suite. It extends Okta’s robust identity and access management capabilities to privileged accounts on cloud native infrastructure. It allows system administrators to control access to Windows and Linux servers through a single system that cuts across hybrid and multi-cloud configurations.
This extension by Okta into privileged server access management makes a lot of sense and represents a real game changer. Previously, in order to access a server resource within a cloud hosted environment, a developer or system administrator would use a protocol like SSH to establish a direct connection from their machine to the server. Authentication was performed either through username/password entry or by creating a long-lived certificate that authenticated automatically. This approach was prone to risk and required a lot of overhead. First, SSH accounts on each server had to be provisioned and managed by system administrators. Users accessing servers had to store their SSH credentials locally, which could be compromised by hackers or stolen laptops. Also, some types of accounts had shared credentials, which meant that they needed to be reset on personnel changes. Finally, as a security best practice, credentials need to be rotated periodically, causing overhead to manage the updating process for critical inter-server communications. Oftentimes, busy DevOps teams would postpone or skip credential rotation indefinitely.
Okta ASA applies Zero Trust principles to infrastructure access management. ASA issues single-use, ephemeral credentials to the user for every login, leveraging a certificate based architecture. Each request using these credentials is then independently authenticated and authorized. Access requests are continuously checked against Zero Trust context, like user, device, network, location and policy factors for that activity. Each certificate for a user session is narrowly scoped and expires after a single use.
The benefits of this are twofold. First, and most importantly, it improves the security posture significantly, because long-lived user credentials are no longer floating around for hackers to potentially find. Second, it removes the overhead of scheduled credential rotation (literally a requirement for PCI compliance) by effectively making rotation continuous. Finally, it simplifies overhead for system administrators, as they are not spending time managing user account lists and distributing these to servers.
ASA capabilities integrate with existing tools for managing SSH and RDP, and are also available to be managed programmatically through APIs. This works for both human and system user accounts across the main cloud providers, AWS, Azure and GCP, as well as for hybrid environments.
Okta ASA is enabled by a lightweight server agent, that is easy to install and can be incorporated into standard configuration management tools (Chef, Ansible, Puppet, Terraform). It is supported on Windows OS and most flavors of Linux. The server agent writes login activity to a local log and ships that back to ASA to be processed. Aggregated logs can be exported to third party SIEM tools for further examination. Login activity can also be viewed in real-time or searched and displayed in an Admin dashboard.
User accounts can be rolled up into user groups and policies managed by Universal Directory. These user groups can be associated with server groups at a high level. This provides significant efficiency for system administrators, as it quickly replicates access permissions across servers based on a user account’s group membership. ASA is a downstream application from Universal Directory in this context. The server agents apply access rules individually to each server. Controls extend to sudo entitlements across server groups to allow for command-level permissions for users on each server. In this case, the server agent manipulates entries in the sudoers file. The server agent periodically calls back to the ASA API for any changes in user status, group membership or sudo entitlements. This ensures that changes to access controls are distributed quickly.
It is very interesting that Okta now has an agent deployed on every server, as part of ASA. This is similar to the move made by Datadog by installing an agent on every piece of data center hardware for infrastructure monitoring. In order to perform its role, the ASA agent would need to be deployed on almost every server in an enterprise’s infrastructure. This gives Okta visibility into the activity of an enterprise’s entire cloud footprint, as well as a logging pipeline for returning usage data back to the centralized Okta platform. This is a new motion for Okta and could provide the basis for future product offerings in endpoint security or observability.
Access Gateway
While most of the new applications for identity are located in the cloud (SaaS, mobile apps, IaaS), many companies have large installations of on-premise applications for enterprise functions for ERP, employee productivity or HR. This has created a hybrid IT environment, where external resource access is controlled by one identity provider and on-prem applications are managed by another. Okta Access Gateway allows enterprises to extend the same benefits of centralized identity and access management from the cloud to these on-premise applications.
Access Gateway provides the same approach to authentication that is available for cloud apps – through SSO, MFA, etc. Okta has built granular integrations with the major enterprise software packages, which prevents the need for SI’s to be hired to make code changes to these legacy system installations. Okta’s ThreatInsight service is continuously monitoring all access activity and will proactively block access that appears malicious. This capability further support a Zero Trust posture, as access to internal software systems was often controlled at the network level. This additional layer of security is particularly critical for these types of systems, as they often house the most sensitive company information. Examples of integrations include Oracle E-Business, PeopleSoft, MS Sharepoint, IBM and SAP.
These are some of the benefits to IT managers of Okta’s Access Gateway product:
- Reduces cost. Many legacy, on-prem IAM solutions require additional hardware to host middleware and databases for the system. Access Gateway doesn’t require additional middleware or database servers to function.
- Reduces overhead. Managing two separate IAM solutions means that IT managers have to duplicate accounts and policies in both systems.
- Improves security posture. Many of these internal, on-prem systems rely on a perimeter security defense. In a Zero Trust environment, we can’t assume that an on-prem system is secure because it is behind a firewall and VPN.
API Access Management
API Access Management allows companies to secure access to the API back-end that powers their customer facing experiences, like mobile and web apps. Previously, API access security had to be handled by developers through custom code for creating access tokens to authenticate requests between clients and the API access points. Okta’s API Access Management solution takes over this function, providing the control layer between client requests and the API access points.
API Access Management supports OAuth 2.0 API authorization, which is the general standard. API access policies can be centralized and updated in the Okta system, versus requiring code changes. This approach can be applied to mobile apps, javascript powered web apps (SPAs) and even service-to-service communications, like microservices. API access tokens can be set and revoked in real-time, providing a more responsive capability to securing API endpoint access. This is particularly useful, as hackers often employ bots to locate and probe public facing API endpoints.
Okta’s API Access Management is also compatible with 3rd party API management solutions, like Apigee. It allows for flexible policy controls that define access by user profile, groups, network and client type. Controlling access to APIs can apply to internal development teams or external partners.
API Access Management provides significant benefits to engineering organizations. It reduces the cost and complexity of building bespoke API access solutions in code. It also provides a higher level of security by increasing the granularity of control for issuing access tokens between client apps and the back-end API services. As more enterprises pursue digital transformation, their efforts often involve building new mobile and web experiences. These client apps will often use a back-end API to service logic and data. Having a convenient and scalable mechanism for handling API access controls will provide a major benefit.
Adaptive Multi-factor Authentication
Okta’s Adaptive MFA capability allows customers to apply different types of user authentication in a dynamic manner, based on the context of that particular access request.
Multi-factor authentication usually spans three different methods to confirm identity:
- Knowledge Factors. Based on something the user knows (password, security question)
- Possession Factors. Based on something the user has (SMS/Email PIN, Software OTP client, Okta Verify app)
- Biometric Factors. Based on something the user is (Fingerprint, FIDO enabled device)
Determining a user’s required MFA level can be dynamic, based on the context of the user’s login request at that point in time.
- Location Context: City, state, country, new location for a user
- Device Context: Device fingerprint, new device for that user, device management status
- Network Context: Network IP, ISP, new IP range for a user
IT managers can establish policies around these types of user context, like streamlined authentication if the user is on a recognized network and device, but strict authentication at a new location. Also, policy checks occur before authentication. This helps prevent brute force attacks. For example, a bot making multiple authentication requests from outside the country would not trigger an account lock-out.
Higher levels of MFA can be applied to enable passwordless authentication. Okta supports this most easily through the Okta Verify app, but also works with other popular methods, like WebAuthn, Factor sequencing, PIV/Smart Cards, Email Magic Links, Device Trust and Desktop Single Sign-On.
ThreatInsight can also be enabled to continuously monitor MFA activity and proactively block malicious login attempts. This uses machine learning to build an access profile for each user. It helps reduce risk without requiring exhaustive policy creation. In this case, Okta establishes a baseline login behavior for each individual user, and responds to anomalous activity with the appropriate type of authentication factor. The further a user’s login attempt moves from baseline behavior, the higher the MFA requirement will be.
Lifecycle Management
Lifecycle Management provides capabilities to address the normal lifecycle of a user account. This starts with provisioning, which determines what applications a new user can access after being created. The typical workflow is kicked off when an employee is added to the HR system. Based on their assigned user group, lifecycle management directs a set of steps with conditional logic to configure access for each allowed application. If the application is license based, lifecycle management handles the assignment of licenses. Similarly, when the user is removed, the deprovisioning process will disable user accounts on all applications and release their associated licenses.
Lifecycle Management leverages Universal Directory as the source for user group, application and device mappings. This also brings the meta-directory capability, so that provisioning in Okta managed applications gets propagated to other identity providers, like AD. Lifecycle management can integrate with third-party ITSM and ticketing systems (like ServiceNow) as well.
Admins can monitor user account states through the lifecycle from a single console. They can add and delete users, as well as force a password reset. Alternatively, the full lifecycle can be controlled programmatically, by setting up rules, policies and workflows, or through custom scripts that manipulate Okta APIs. These can include logic like condition and action – if the user is a member of the contract project group, then suspend their account on the date of contract conclusion.
Customer Identity
After building out all of their sophisticated identity capabilities for enterprises to manage employee and partner access, Okta realized that these same services could be leveraged by developers to build identity into custom applications. This spawned Okta’s Customer Identity product offerings, which leverage the core platform services and re-use many of the Workforce Identity features.
Customer Identity solutions are targeted at developers. The top of the Customer Identity section of the Okta web site implores – “Are you a developer? Start building for free.” After traditionally selling to IT managers at enterprises, this is a new motion for Okta. At their recent Investor Day presentation, the head of sales acknowledged that his team now targets CTOs and VPs of Engineering, in addition to CIOs and CISOs.
As with Workforce Identity, Okta’s Customer Identity solutions address a critical need in the market. This has been magnified by the emergence of many custom applications built by enterprises going through digital transformation initiatives. For example, Albertson’s wanted to provide their customers with an experience to manage their loyalty program and enable online shopping. They built web and mobile apps to support this. Part of those apps requires customers to register for an account and authenticate on each use. This identity use case is very common.
The standard way to enable a registration and login experience like this is to have a developer create custom code for it. Most development frameworks, like Ruby on Rails or PHP Laravel, even include plug-in code to handle authentication functionality. This is indeed an easy way to kickstart a basic application.
However, while the feature seems simple on the surface, it can quickly devolve into a thicket of complexity and edge cases. My team built one of these from scratch in PHP at a large dating web site. Here is a list of issues that we had to address, which became increasingly complex over time:
- Password strength rules and enforcement
- Password encryption and storage
- Password reset flows
- Multi-factor authentication
- Device fingerprinting for fraud protection
- Integration with third-party identity services, like Facebook Auth
- Brute force attacks
The landscape is even more complicated now. Identity no longer makes sense for developers at the average internet operation or enterprise to manage themselves. Only the largest properties (FAANG) can afford to apply the developer resources needed to implement this properly.
Okta Customer Identity services provides all of this functionality and more for managing customer identity and access. The product is developer-friendly with well-documented APIs, SDKs in several languages and example code for common scenarios. Once the Okta Customer Identity solution is wired into an application, new user accounts can be managed within the Okta toolset. The security team can set policies without needing developer support. They can also monitor for malicious activity.
As we will discuss in the TAM section, this represents a major new market opportunity for Okta and significantly expands their addressable market size from what was available with just Workforce Identity solutions. This extension of Okta’s offerings into a set of platform services that are marketed to developers is a trend I have noticed with some other software providers recently. I provided some perspective on how to evaluate platform plays in a prior post, including commentary on how Okta is addressing this.
Many of the mechanics of the Customer Identity offering are included in the commentary on Platform Services and Workforce Identity above. There are a couple of focus areas worth discussing.
Authentication
Okta Customer Identity provides a seamless sign-in experience that can be customized to adhere to the UI and workflow needed. It utilizes open standards like SAML and OIDC. Authentication is integrated with all major social login mechanisms, so those solutions can be offered to customers instead of having them create a new username/password combination. This list includes Google, Facebook, Github, Dropbox, Microsoft, LinkedIn, Twitter and Reddit. Supporting some or all of these by an internal development team would represent a lot of overhead.
Password encryption uses the strongest hashing algorithm available. Password policies are flexible and can be configured by an Admin through a management interface. Also, the system provides adaptive and configurable rules for laying out different login flows depending on authentication method and provider. It also has the capability to support a passwordless authentication through an email-based magic link.
Admins have access to a centralized interface for policy control. They can view account activity in real-time or through a set of search parameters. Password complexity policy controls are very deep and sophisticated. These would require significant development work if supported by the customer company’s own development team.
Authorization
While authentication verifies the user’s identity, authorization determines what resources they can access. This can range from whole applications to specific features (subscriptions, private directories, video content) within them. The same controls extend to API endpoints. Okta supports authorization for its Customer Identity products through a set of attribute-based policies that are compliant with open protocols like SAML and OAuth.
The Okta Customer Identity solution can also help manage user consent granting for downstream third-party applications. The user can grant or revoke a set of permission scopes, like viewing profile information or taking actions on behalf of the user. This is a huge benefit, as building the integration with other apps to discover and manage these scopes represents a lot of one-off overhead for development teams.
For app administrators, authorization policies are easy to set up and manage, without requiring developers to make code changes. These have granular level conditional controls – authorization policies can include logic to determine access levels based on user profile, group membership, IP address range, client type and consent. Also, application Admins can monitor how authorization policies are applied to users by reviewing actual activity data. This is possible because the Okta Customer Identity system logs all user authentication/authorization activity and makes it available to Admins. They can identify normal access patterns and detect malicious activity in-flight. Tokens issued to customers can be reviewed and revoked immediately.
Okta’s authorization scheme supports the OAuth 2.0 protocol and many extensions to allow app developers to address most authentication and authorization edge cases. Okta is heavily involved in developing these open standards, which gives them a leg up in implementation.
For API access management, the same authorization capabilities apply. Access token policies are configurable, like token refresh and expiration timeframe. Admins can set policies to segment OAuth access by user type, application and other user context factors.
Both authentication and authorization support integration with other internal services and data stores within enterprises in order to retrieve or update customer specific profile data, or modify entitlements related to downstream applications or services.
User Management
Okta Customer Identity provides extensive support for the new user registration process. When a user is presented with an Okta powered login screen, they can select the “New User” link and be directed into a robust registration flow. This not only collects data needed by the Okta identity system, but supports programmable event hooks to write data to other enterprise systems. For example, new user registrations could kick off scripts to update the CRM system, email marketing tools, data warehouse / analytics, loyalty program, etc.
Okta also supports progressive profiling. This represents the idea that consumer sites want to minimize the amount of information required from new users at registration. This could be limited to just what is necessary to enable the basic user browsing experience. If the user then wanted to kick-off a higher level process, the Okta system could be triggered to prompt the user to enter additional information. For example, a shopping cart might need a zip code to calculate sales tax or a content site might want to ensure they have a user’s email in order to read a more valuable article.
All of these common prompts are available as pre-built, but customizable, workflows. Again, none of these widgets requires custom development for the internal engineering organization. For customer communications, email and SMS templates are available in over 20 languages.
Since Okta tracks the workflows to collect new user information and build progressive profiles, the system can also be leveraged to manage the user account deactivation process. When a customer requests to have their account deleted for whatever reason, the Okta system can leverage the same inline hooks to send updates to downstream systems, prompting them to initiate their user data removal actions.
Finally, as would be expected, Okta provides extensive support for migration of existing user data stores into the Okta Customer Identity system. This would address the case where an enterprise or internet-first company leveraged a legacy system or DIY approach to user registration and authentication. Okta provides tools to enable one-time bulk transfer of user records and/or inline hooks to migrate individual user data after each return login.
Pricing
Okta provides transparent pricing for most of its products. They offer a free trial and sign-up can be completed online in a self-service motion. Sales gets involved to finalize the contract and total pricing for a customer. Pricing is segmented for Workforce Identity products versus Customer Identity.
Workforce Identity
Products are generally priced on a per user per month basis and billed annually. A minimum contract spend of $1,500 per year applies. All pricing listed is the starting price. Larger customers with more than 5,000 users can get volume discounts.
- Single Sign-on: $2 per user/month. Adaptive SSO is $5 user/month.
- Universal Directory: $2 per user/month
- Lifecycle Management: $4 per user/month. Advanced is $6 user/month.
- MFA: $3 per user/month. Adaptive MFA is $6 user/month.
- API Access Management: $2 per user/month
- Access Gateway: $3 per user/month
- Advanced Server Access: $15 per server/month
Customer Identity
Since the Customer Identity solution is meant for development teams at enterprises to consume in order to build their own apps, the pricing model is different. It consists of three Editions, which are essentially levels of usage. The Developer edition is free up to 1,000 MAUs and then scales up to $1,000 per month for up to 50,000 MAUs. The One App and Enterprise levels allow for more users (up to billions) and are distinguished by the number of SAML applications the company plans to support. Generally, One App would support a single typical user application, while Enterprise would accommodate several. Okta claims that some enterprise customers have hundreds of these custom apps.
Customer Identity also offers a number of add-on subscriptions, paid annually. These include Inbound Federation, API Access Management, Adaptive MFA, SSO Integrations, Lifecycle Management, Access Gateway and Directory Integration. Starting prices for these range from $8k to $21k per year.
DynamicScale is a new add-on that supports traffic spikes by allowing customers to pay extra to avoid hitting rate limits on API requests. Pricing requires a conversation with the sales team. In their Q4 FY20 earnings call, Okta leadership cited this add-on as driving a lot of interest from larger customers.
Openness, APIs and Developer Motion
As discussed above, with the launch of Platform Services, Okta is embracing a developer-friendly motion. Okta’s objective is to make consumption of identity services as easy as possible for developers. This is evidenced by their developer site, which is appealing and intuitive. Documentation is thorough with many code examples. Packaged SDK’s have extensive coverage of most popular mobile, front-end and back-end languages. Each includes links to Okta’s Github repo with working code under the permissive Apache 2.0 license.
They provide a public change log, which lists all the changes for every release that might impact the API. Okta also publishes a developer specific blog, with updates, best practices and general software engineering discussion. They host an active Developer Forum, that appears to address many common issues or questions. Most items posted have gotten a response. Finally, Okta sponsors an App Showcase, where developers can share functional, open source apps that they have built with Okta. There are currently 172 of these.
Developer sign-up is easy with minimal information required. The developer doesn’t need to enter a credit card to get started. Use of services is free for up to 1,000 monthly active users.
Product Development Velocity
Since going public in April 2017, Okta has been rapidly expanding their product offerings. Most of the enhancements were built by internal development teams. They supplemented this work with two acquisitions. Most of the major product releases revolve around their annual user conference, called Oktane, which generally occurs in spring of each year.
Here is list of major product release highlights since the IPO in 2017:
- April, 2020: Introduced Lifecycle Management Workflows, which provides IT teams with a clean UI to build automated business processes without code.
- April, 2020: Introduced Okta Platform Services.
- April, 2020: Unveiled FastPass, which enables a passwordless login experience across devices, applications and operating systems including iOS, iPadOS, macOS, Android and Windows.
- April, 2020: Announced partnerships with Carbon Black and Crowdstrike to provide a broad set of device risk signals to the Okta Identity Cloud, enabling enterprises to combine endpoint risk detection with user identity.
- October, 2019: Launched DynamicScale, which enables the largest businesses and the most highly-trafficked apps on the internet to support traffic bursts of up to 500k authentications per minute.
- October, 2019: Launched SecurityInsights. Allows users to self-report suspicious activity and provides recommendations to Admins.
- April, 2019: Launched the Advanced Server Access product for infrastructure access management.
- April, 2019: Launched a risk-based authentication solution with machine learning capabilities to automatically raise authentication requirements through SSO and adaptive MFA.
- April, 2019: Announced Identity Engine, which provides a set of customizable building blocks for identity flows, breaking apart pre-defined authentication, authorization and registration steps. Also, made Okta Hooks available.
- April, 2019: Launched the Access Gateway product. Connects legacy on-prem applications to the Identity Cloud.
- May, 2018: Introduced the paid One App tier of API usage, for development teams to use Okta Identity APIs to build full-featured applications.
- May, 2018: Announced Project Onramp which allows a select set of applications to be accessed from Okta with just a single click.
- May, 2018: Launched adaptive SSO to assess user access risk and require the appropriate level of authentication. Introduced the ThreatInsights capability.
- August, 2017: Enhancements to Adaptive Multi-Factor Authentication (AMFA) and added two-factor authentication as the new standard for all Okta SSO customers.
- August, 2017: Introduced expanded APIs, additional developer product capabilities and a new Developer Edition for Customer Identity.
- August, 2017: Updates to Universal Directory to enable direct integration from LDAP, expanded partnerships in the Okta Integration Network and added extensions to Lifecycle Management.
Acquisitions
- Azuqua – March 2019. Founded in 2013, Azuqua is a provider of no-code, cloud-based business application integration and workflow automation. Azuqua brought Okta additional application integration connectors and a workflow design capability, which has been incorporated into the Lifecycle Management product and Workflows platform service.
- ScaleFT – July 2018. ScaleFT provides advanced continuous authentication capabilities to secure access to infrastructure servers in cloud or on-prem environments over SSH or RDP. ScaleFT was an early player in Zero Trust solutions. ScaleFT technology was packaged into the Advanced Server Access product.
Future Applications
Okta is demonstrating continued rapid expansion in the evolving identity space. While I will examine TAM and competition in the next section, it is worth considering future opportunities for Okta product development. The Okta leadership team discussed some future product directions as part of their Oktane20 user conference. I will share comments from that and add my own thoughts.
- Platform Play. The announcement of Okta Platform Services was significant in itself. However, I think this is the tip of the iceberg. Making consumable identity and access management services available to third-party developers through a set of open APIs represents a major step for Okta. They are already experiencing significant traction from their Workforce Identity solutions and those generate the majority of revenue currently. Allowing developers at existing enterprise customers and those at new internet-first start-ups to easily address identity use cases with a full-featured, robust solution unlocks a whole new wave of demand. As I discussed in the product section, identity management for end customers is becoming very complex. With increasing risk and visibility around data breaches and consumer privacy, having a reliable and robust IAM capability for an enterprise’s user-facing apps is critical. The press doesn’t care that a consumer’s online dating or banking account was hacked because they used a weak password – the onus is on the enterprise to take necessary steps to ensure security and privacy. It doesn’t make sense for development teams within enterprises to take on this work themselves. This point was made in customer examples at Oktane20. The VP of Products at HPE Greenlake, an IaaS provider, said that his engineering team evaluated open source options, but felt their dev cycles would be better spent on areas of competitive advantage. Okta’s sophisticated platform solutions that are developer-friendly will drive a whole new level of usage, incremental to the existing Workforce Identity product adoption.
- Presence on End User Devices. Like any SaaS product company, Okta has traditionally maintained a light touch on the client side, relying on browsers and mobile app integrations for the customer touchpoint. With the release of Okta Verify and the Advanced Server Access products, this posture is changing. Okta Verify provides an Okta-controlled app on consumer devices, whether desktop or mobile. ASA works by installing a lightweight agent on an enterprise’s infrastructure hardware. These both provide beachheads for collecting interesting activity data and potentially launching future services. On the consumer side, we could see other services to help enterprise employees manage use of all their SaaS tools and applications, like productivity, collaboration or communication. On the infrastructure side, there are possible extensions into security incident and event management (SIEM) or endpoint protection. As the server agent already logs and ships access data, there might be extensions into some aspects of observability as well.
- Universal Consumer Identity and Privacy. With the expansion of Customer Identity solutions, Okta is gaining a broader view into all consumer identity activity. Okta could become a central clearing house for universal identity across an individual’s entire digital experience. For example, if I have an Okta-powered account for my shopping, banking, media, communication, etc. apps, then Okta could provide some sort of universal ID service to allow me to connect to all of these. End users could register and maintain a single profile with Okta, that is then applied to consumer-oriented apps. This single profile could securely store the consumer’s sensitive data, allowing consumers to only grant access to companies when required. This would also provide the means to control access to consumer data. User privacy regulations, like GDPR, require an easy way for a consumer to request to be “forgotten”. The same model could extend to activity profiles built by advertisers as part of ad tech targeting. Okta could become the central store for consumer preferences and allow the consumer to control sharing of that activity profile data with advertisers on demand. In the closing keynote at Oktane20, the Chief Product officer talked about enabling privacy and consent dashboards for consumers.
- Risk Engine for Fraud Detection. The CPO also discussed the idea of extending the Devices service by ingesting usage data from other sources, like endpoint protection vendors and other software suite providers (GSuite). This could create a large database of device data combined with usage that could then feed a risk engine powered by Okta. This risk engine could be exposed as a service for other companies to utilize to determine risk associated with any device. For example, if Okta’s risk engine contained aggregated malicious activity for a single Windows device in Europe, that could be leveraged by risk engine subscribers (or Okta) to increase adaptive MFA levels for login requests from that device. Fraud detection is a big business with home grown solutions built by major payment providers and stand-alone start-ups providing fraud detection as a service.
Total Addressable Market
The Okta Identity Cloud addresses two primary customer segments currently – Workforce Identity and Customer Identity. As we discussed above, many of the product offerings and platform services can be shared between these two audiences. The go-to-market strategy, packaging and support obviously varies. However, this leverage is very powerful and is the reason that Okta was able to double their TAM in the last year by adding Customer Identity as a distinct market segment.
At the time of their IPO in early 2017, Okta initially sized their addressable market as being $18B. This focused on what is now defined as the Workforce Identity opportunity. The product set then consisted of Universal Directory, SSO, Adaptive MFA, Lifecycle Management, Mobility Management (device administration – has evolved into the Devices services) and API Access Management. Since 2017, Okta added Advanced Server Access and Access Gateway, as well as the many product add-ons and extensions covered previously.
As a result of the additional product offerings and traction with enterprises, Okta recently expanded the TAM for Workforce Identity to $30B. Growth with enterprises is enabled by Access Gateway specifically, as it provides a means to address the legacy identity infrastructure that large companies have accumulated pre-cloud. The $30B TAM was calculated based on over 50,000 U.S. businesses with more than 250 employees multiplied by 12-month ARR assuming adoption of all current products. This implies a $15B market in the U.S. Then, they multiplied by 2 to account for the international opportunity.
At time of IPO, Okta did mention future potential for enabling end customer identity use cases, but didn’t provide a TAM estimate or a distinct product strategy. Since then, Okta has significantly built out their platform services and extended a developer posture in order to enable customer identity to be built into custom apps for enterprises. This formalized the Customer Identity solutions market, which they size at a $25B opportunity. This figure was derived by taking the total number of Internet users (based on Facebook user counts) and multiplying by estimates for app usage and pricing. While not perfect, it is a reasonable approach.
Competition
Gartner defines the market for IAM as “vendors providing solutions that use access control engines to provide centralized authentication, SSO, session management and authorization enforcement for target applications in multiple use cases (B2E, B2B and B2C).” They also call out the fact that modern access management vendors offer APIs and SDKs for other parties to integrate authentication and authorization into their own applications and services. This spans traditional web applications and also extends into mobile apps and server-to-server communications. Access management solutions may run in the cloud or on-premises.
Looking towards more advanced capabilities, Gartner acknowledges that best of breed solutions provide adaptive access capabilities that are informed by sophisticated analytics. These should utilize historical behavior and user context to trigger adaptive policy decisions to elevate trust requirements in certain circumstances. This, of course, speaks to Okta’s ThreatInsight service, coupled with Adaptive MFA.
In the most recent Gartner Magic Quadrant published in August 2019, Okta was placed in the Leaders quadrant, furthest position up and to the right. This is one of the most dominant placements I have seen amongst software stack companies. It is reflective of both Okta’s rapidly evolving product offering, as well as their strong go-to-market execution.
Gartner recognized Okta’s substantial growth in the past year, particularly in the area of Customer Identity and Access Management (CIAM). This aligns with Okta’s Customer Identity offerings. They also called out the extensive capabilities for adaptive authentication and the newer ThreatInsight service that aids with threat intelligence for login activity.
Gartner provided the following additional commentary (para-phrased) related to Okta’s positioning:
- Mentioned positive feedback for overall customer experience, ease of deployment and use.
- Recognized rapid product improvements, like Access Gateway and Hooks. These both expand addressable use cases and facilitate integration.
- Adaptive and contextual authentication capabilities have advanced to the point where passwordless login is achievable.
- Called out limited support for IoT use cases and social login support out of the box.
- Rated as the highest priced offering.
- API protection doesn’t support some advanced use cases, like denial of service, full encryption and support for proprietary tokens.
In terms of competitors to Okta, I think that Microsoft and Ping Identity are the most relevant. Of the other Leaders, Gartner recognized IBM and Oracle.
- IBM. IBM offers two IAM products – packaged Security Access Manager and a SaaS-delivered product called Cloud Identity. IBM’s packaged software solution is very mature and supports a broad array of use cases. It has integrations with many hosted enterprise software packages and includes deep support for other IBM enterprise solutions. IBM also has a global sales and support organization. However, the SaaS offering is lacking features compared to the packaged solution. The solutions are rated as complex overall by customers. Modern privacy considerations, like GDPR, are also not addressed.
- Oracle. Oracles similarly offers a software package solution, Oracle Access Manager, and a cloud-based solution, Oracle Identity Cloud Services. The Identity Cloud solution has not yet achieved feature parity with Oracle Access Manager. Identity Cloud does have better integration with other Oracle cloud products. Identity Cloud offers robust API protection services and can be extended to manage the full lifecycle of API deployment. Existing users of Oracle products, like Human Capital Management (HCM) can take advantage of deeper integrations. On the flip side, peer insight scores were low, citing complexity of implementation. Fraud strategies are nascent, relying on knowledge based elevation. Finally, existing customers of the legacy Oracle Access Manager product are evaluating other solutions for cloud-based identity management.
Competitive Moat
Before we look at Microsoft and Ping, let’s talk a little bit about what contributes to the competitive moat in this space. Going beyond the standard criteria of product coverage, feature set, pricing and sales execution, I think there are three strategic factors to consider when comparing companies offering IAM solutions.
- Network Effects. A cloud-based identity platform benefits from participation. This translates into four areas – integrations, customers, touchpoints and use case coverage. All of these generate incremental data that can be mined for insights to improve the security effectiveness of the access management solutions. Integrations should cover not just SaaS apps, but also infrastructure, APIs and devices. Touchpoints represent all the sources for activity data, like device usage, network, biometrics, application logs and user behavior. Use cases represent the overall coverage of the product landscape. Having more customers simply provides more usage data. As a company grows coverage in these four areas, they increase the value of the network, making it harder for a competitor to displace the leading provider. These network effects enable more sophisticated security posture and new product offerings. The Okta leadership team talks about network effects as part of their value proposition.
- Neutrality. Independence and true neutrality for an identity provider is critical to ensure that the benefit from network effects can be maximized. While the large cloud providers may offer a solution for IAM, it will likely have a bias towards that company’s products. This may take the form of application integrations (prefer their employee productivity solutions), devices (prefer their OS) or customer scope (bundling with other software products). IAM providers that are independent companies, focusing only on IAM solutions, will ultimately realize the greatest network effects and be able to deliver the most complete and enriched product offerings.
- Programmability. The ability for developers to consume the IAM provider’s services as stand-alone APIs will be an important driver of future growth. While many customers will simply take the packaged products as is, some companies with a builder mindset will prefer programmability in the offering. This is either within the toolset provided through no code drag-and-drop workflows or low code scripting of hooks. Additionally, a complete and developer-friendly set of APIs and SDKs will appeal to the engineering organization within enterprises that have a bias towards tinkering. The broadest set of customers and access patterns will further drive network effects.
Microsoft (MSFT)
Microsoft has been in the access management space for a long time. Their Active Directory product was first launched in 1999, as a way to manage user accounts and control access to Windows servers, desktop Windows computers and Microsoft business applications, like Exchange or SharePoint. To its credit, AD allowed system administrators to easily mange permissions between Microsoft resources. Over time, it was extended to store other user and device metadata as a convenience. However, much of its early design and purpose revolved around the Microsoft ecosystem.
Microsoft still supports the legacy, packaged software offering for Active Directory. Many mainstream enterprises maintain versions of AD, usually as part of their on-prem installations. When Microsoft built out its cloud offering through Azure, it ported access management capabilities to be cloud-enabled and re-branded their offerings as Azure Active Directory (Azure AD) and Azure AD B2C. These solutions are SaaS based and multi-tenant. They come with a catalog of SaaS application integrations. Interestingly, even though Azure AD is a SaaS application, many companies continue to use packaged software components like ADFS and Azure AD Connect for access management in their corporate network environment. Azure AD offers adaptive and contextual authentication through conditional access rules, similar to Okta, and offers an extensive assortment of user authentication mechanisms.
Microsoft also has an Intelligent Security Graph offering that generates risk scores for users accessing any Microsoft platform, which can be leveraged to make authentication and authorization decisions by Azure. This is similar to Okta’s ThreatInsights offering.
As part of its go to market strategy, Microsoft bundles Azure AD with Office 365. This provides the user login capability for Office 365 products. There is a basic level of functionality provided, with paid upgrades available for more advanced features called Premium. This has resulted in some increased market share for Azure AD Premium, according to Gartner, as some Office 365 users just pay for the upgrade from the basic Azure AD subscription. At the same time, Gartner mentions that other customers contract for separate access management solutions to address edge cases or gain access to broader features.
Microsoft Online business services, such as Office 365 or Microsoft Azure, require Azure AD for sign-in and to help with identity protection. If you subscribe to any Microsoft Online business service, you automatically get Azure AD with access to all the free features.
To enhance your Azure AD implementation, you can also add paid capabilities by upgrading to Azure Active Directory Premium P1 or Premium P2 licenses. Azure AD paid licenses are built on top of your existing free directory, providing self-service, enhanced monitoring, security reporting, and secure access for your mobile users.
Microsoft Azure AD web site
While getting Azure AD for free sounds appealing and might be a competitive issue for Okta, there are some limitations to the free version. To get beyond these limits requires a paid upgrade to Premium P1 or Premium P2 licenses. Here is a short list of items that are not available in the bundled Office 365 AD version.
- SSO for more than 10 apps, with Microsoft products included in the count.
- Self-service password reset.
- Conditional access logic based on group, location and device status.
- MFA with conditional access (adaptive MFA)
- Security and usage reports
- Risky account detection and events investigation (Premium P2)
- Risk based conditional access policies (Premium P2)
Pricing for Premium P1 is listed at $6 per user/month and Premium P2 is $9 per user/month. These prices are comparable with Okta’s, so there really isn’t a financial benefit to the free AD offering for anything but the most basic usage.
Okta has taken a direct line on competition from Microsoft and views AD as ripe for displacement. They even have a dedicated section of the Okta web site for addressing this, called “Rethink AD.” They point out the deficiencies of the Microsoft AD solution as it relates to design choices to accommodate Microsoft software products, Microsoft powered devices and a fixed corporate network.
According to Okta, some of the limitations of the Microsoft AD solution set for customers requiring support for a broader set of use cases are:
- SSO to popular cloud apps requires the use of several different Microsoft products, including ADFS, AD Connect, Password Sync and Microsoft Identity Manager. Each of these needs to be configured separately with Azure AD.
- Microsoft AD integration with HR systems is limited. It integrates with Workday out of the box, but other HRM systems require separate set up through MIM and SQL Server. These include UltiPro, G Suite and SuccessFactors.
- Microsoft AD doesn’t support all modern adaptive MFA solutions, like YubiKey, Smart Cards and Google Authenticator. It also requires an on-premises MFA server.
Other gaps in Microsoft’s overall access management solution appear to be limited capabilities and breadth of device fingerprinting and tracking, as compared to Okta’s Devices service. Also, the Azure AD app marketplace lists 2,800 SaaS apps with SSO support, versus 6,500 for Okta.
Azure AD does list some impressive customers on their site, including Walmart, Zscaler, BP and Amtrak. They claim that “90 percent of Fortune 500 companies use Azure AD, the sign-in engine for Office 365.”
For developers wishing to build custom apps using APIs for identity and access management, Microsoft offers Azure AD B2C. They provide a developer site with common use cases and sample code in Javascript, .NET, Java and Python (not as extensive as Okta’s SDK library). There is a fairly complete set of APIs available through Microsoft Graph for Azure AD. Pricing of the Azure AD B2C solution is determined based on MAUs. Each unique user authentication in a month is tallied. There is no fee for inactive user data storage. All pricing is applied on a monthly basis. Users can get estimates of their monthly bill based on activity so far that month.
As an example, 100,000 unique user logins in a month would cost $275. 1M unique users would cost $4,415 for that month.
Some other thoughts around Microsoft’s offering relative to Okta:
- While Okta seems to be downplaying Microsoft’s capabilities, Microsoft appears to be continuing to evolve their AD solution quickly. For example, at one point Okta leadership mentioned that Azure AD doesn’t support SSO for popular collaboration apps, but I can find most listed in the App Marketplace at this point. Also, Microsoft’s AD blog is active, with frequent product updates.
- With that said, Microsoft will likely always be one step behind Okta in terms of advanced feature support. New Okta capabilities like Devices and Adaptive MFA have broader coverage. Programmability options are greater on Okta as well, with Workflows, Hooks and more granular APIs. Security monitoring and proactive account takedown through ThreatInsight and best practice recommendations through HealthInsight are far ahead of comparable solutions in Azure AD, at least in the core product set.
- Okta emphasis on neutrality will generally overcome Microsoft’s inherent bias to favor its own products. This manifests in breadth of integrations (Okta 6,500 versus 2,800 for SaaS) and depth of device tracking. These are critical inputs to driving network effects.
- With all that said, Microsoft claims to have 90% of the Fortune 500 using Azure AD due to its automatic deployment with Office 365. If Microsoft really embraces neutrality and invests heavily in AD as a stand-alone solution, it could generate more friction for Okta.
My overall take on Microsoft’s offerings is that they will cause confusion for enterprises and capture some portion of potential Workforce Identity solutions from Okta. This would mainly apply to companies that already have a deep relationship with Microsoft. I don’t think the Azure AD B2C offering is really competitive, except for custom apps in the Microsoft sphere of influence. Over the long term, I think that Okta’s focus solely on IAM, independence and growing network effects will keep them ahead of Microsoft. However, given that Microsoft has vast financial resources and deep customer relationships, we should keep an eye on major developments from them.
Ping Identity (PING)
Ping Identity was founded in 2000 and is headquartered in Denver, CO. They are a provider of identity and access management software, with heavy enterprise penetration. Their solutions target the employees, partners, and customers of large companies, enabling secure access to any application from any device. They claim to have secured over 1 billion identities and to serve over 1,500 customers. They are majority owned by Vista Equity Partners, after a leveraged buy-out in June 2016.
The company went public in Sept 2019, closing at $20.11 on its first day of trading. The stock reached a high of $28.63 in Feb 2020, and most recently trades around $25. Looking at some summary financial metrics, we can see how much greater Okta is in terms of overall size and growth rates. Putting aside valuations, it is difficult to see how Ping Identity could narrow the gap between the two companies. Okta should continue to have significantly more resources to invest in R&D and sales efforts.
Metric | OKTA | PING |
Market Cap | $18.7B | $2.0B |
Revenue (Prior Year) | $586M | $243M |
Rev Growth (Prior Year) | 47% | 21% |
FCF Margin (Prior Year) | 6.2% | (0.5%) |
DBNER (Quarter) | 119% | 115% |
Current Year Est. Rev Growth | 32% | 10% |
EV/Rev | 31.7 | 8.5 |
Due to variance in revenue recognition, Ping Identity leadership prefers that investors look at ARR growth, instead of revenue. ARR growth for prior year was 23% and looking forward to FY2020 is estimated at 18%. Still about half of Okta’s revenue growth rates.
Ping Identity positions their product offerings in a similar way as Okta, addressing both Customer Identity (for the enterprise’s customers) and Workforce Identity (for the enterprise’s employees). Their software delivery model supports three deployment postures – On-premise, hybrid and cloud. This reflects their pre-cloud origins when the original product was an on-premise installed software package. Interestingly, Ping Identity includes an IoT use case, in addition to the typical customers, employees and partners audiences. This hasn’t registered as a use case for Okta yet, but would be straightforward to support with some combination of the Devices service and Advanced Server Access capabilities (light client).
Ping Identity’s current product offerings are broken up between Cloud solutions and Cloud Ready Software. The latter appears to be a software package that customers can install in any environment.
Cloud Solutions
- PingID. Cloud-based MFA solution that applies adaptive authentication policies to increase MFA requirements based on user risk. PingID MFA adds a layer of protection over SSO application access. It integrates seamlessly with Azure AD and on-prem AD.
- PingOne. Provides base level authentication and authorization identity services. Can be applied to either end customer-facing applications or to secure access for employees to business applications.
- PingCloud. Provides customers with a private instance of Ping’s cloud-based identity solutions, that is fully configurable and hosted in a dedicated cloud environment with data and resource isolation. This would appeal to enterprise customers that want to run their own identity service in the cloud.
Cloud Ready Software
- PingFederate. An enterprise federation server that enables user authentication and SSO. It serves as a global authentication authority for an enterprise. It can be deployed on-premises or hosted in the cloud.
- PingAccess. Secures access to applications and APIs down to the URL level, ensuring that only authorized users access resources. Can be deployed on-prem or in the cloud. Operates as a proxy for cloud requests.
- PingDirectory. Provides a data store for customer, partner and employee identity data.
- PingDataGovernance. Provides policy-based, fine-grained access controls for attribute level data protection. Facilitates regulatory compliance and consent management for user privacy requirements.
- PingIntelligence. Provides a unified view of API activity for centralized monitoring and reporting. Uses AI to learn traffic behaviors and automatically block threats.
- PingCentral. Represents a converged operating portal for all Ping software products, with efficiency and automation tools for administrators.
Ping offers a dedicated developer site with API documentation, SDKs and code samples. They also provide a public GitHub repository with open source code for SDKs, helper tools and sample applications.
Ping has an impressive list of customers, laying claim to 50% of the Fortune 100.
Some comments on Ping Identity’s position relative to Okta:
- Ping is much smaller than Okta in terms of revenue and is growing at half the rate. This tells me that Ping is unlikely to catch up to Okta and that they are not taking significant market share. Also, while Ping has impressive enterprise penetration (50% of Fortune 500), they don’t seem to landing many new deals. I conclude this because revenue growth is tracking around 20% and DBNER is 115%.
- The feature set supported in the newer cloud product offering lags that in the legacy packaged software (Cloud ready). Many new customers are likely interested in the cloud solution and would favor Okta for completeness of feature set.
- Ping has an extended partnership with Microsoft in which its products are offered as part of the Azure AD Premium. Microsoft customers can use Ping solutions to connect to Microsoft Azure or Office365 services. They also enable non-Microsoft applications and environments to be easily integrated into the Microsoft ecosystem. Ping’s MFA solution works directly with Microsoft ADFS and AzureAD to provide enterprise-grade adaptive authentication to Microsoft’s offerings. This partnership is likely driving some business from Microsoft customers and will help with upsells in larger enterprises. Also, this relationship might portend an acquisition by Microsoft in the future. The combination might represent a more meaningful threat to Okta.
- I think majority ownership by Vista Equity Partners will weigh on performance. My view is that buy-outs and subsequent IPOs engineered by PE firms reduce the momentum that a rapidly growing start-up with independent leadership enjoys. This is similar to my review of Dynatrace (DT) in the Datadog competitive analysis. Reviewing Vista’s previous acquisitions, I don’t see any companies that re-emerged as a dominant player in their industry.
Customer Adoption
Okta had 7,950 customers at the end of 2019, representing an increase of 30% over the end of 2018. Of these, 243 customer accounts generated greater than $500k annually. This count grew even faster than total customers at 59% year/year. Yet, penetration in the Global 2000 thus far has been light, with just over 20% on-boarded. According to the CFO at Investor Day, the ACV for Global 2000 customers is typically 6x the spend of the average Okta customer. This obviously represents a big opportunity for Okta going forward and international expansion is a focus area.
The Okta sales organization is segmented along customer account size. Large customers are handled by the Enterprise Business team, with pre-sales and subject matter experts available to support salespeople, who have direct assignments to individual enterprise accounts. Smaller companies are handled by the Commercial Business team, with groups of corporate or emerging companies assigned to salespeople. Pre-sales work is handled remotely. Leads are generated by the Pipeline Management team, through marketing, sales development and inside sales.
At the Investor Day in April 2020, the President of Worldwide Sales Operations outlined the go-to-market strategy for the coming year. This will hinge on four pillars – acquiring new customers, expanding their spend over time, leveraging partners to improve efficiency and international growth.
New Logo Acquisition. Attracting new customers will be driven by Customer Identity, as more enterprises are building new experiences for their partners and customers through digital transformation efforts. Customer Identity has seen heavy pull with larger companies. Specifically, in FY20 (calendar 2019), Okta added several new enterprise customers for Customer Identity solutions, including Athena Health, Engie, Carmax, HP Enterprise, Zurich and AAA. This has introduced Okta to CTOs and VPs of Engineering who are charged with development efforts. Some companies are even starting their Okta engagements with Customer Identity. For these custom development projects, customer security is paramount, which is pushing them towards a trusted solution like Okta, versus rolling their own authentication solution. New compliance and privacy regulations, like CCPA and GDPR, are making this concern more acute.
Land and Expand. This is the process of gaining a foothold within an enterprise and then expanding into more products and use cases over time. Underpinning Okta’s ability to expand with large enterprises is a foundation of trust, built on Okta’s ability to scale with usage, maintain ultra-high availability and apply the highest standards of security. The new product offerings launched in the last year, Access Gateway and Advanced Server Access, have been particularly significant contributors to the expansion ability. For enterprises, Access Gateway allows them to leverage their existing legacy installation without the requirement to lift and shift completely to cloud-based identity. Advanced Server Access enables the addition of infrastructure access management to their identity footprint. Enterprise customers adopting Access Gateway in the last year included AllianceData, Nexteer and Hitachi. Advanced Server Access upgrades included Vonage, Nvidia and Mailchimp.
Pipeline Efficiency. Pipeline efficiency represents the effort to drive more revenue without a proportional increase in sales organization spend. The mechanism to accomplish this is through the partner channel. Okta is investing in building its stable of certified pre-sales sources and consultants. This allows the Okta sales team to engage the customer much further along in the sales process. The result is that 60% of new business in Q4 had a partner involved in some part of the process. Okta currently has over 1,000 channel partners in 44 countries. In late March, Okta announced further improvements to their Partner Connect program, which is geared towards increasing partner sales growth. The new program offerings are designed to give partners additional resources, like free technical training, a new Innovation Center and marketing tools.
International Growth. The secular tailwinds driving Okta’s growth domestically apply internationally as well. Yet, Okta’s penetration is fairly nascent, relative to distribution of the Global 2000 companies. To address this, Okta is opening new regional offices in Europe and Asia. In FY2020, Okta opened offices in Amsterdam, Munich and Paris, as well as a new data center in APAC. An example international growth customer is Flex, a worldwide manufacturer which has over 200k employees across 30 countries.
Leadership
Okta’s two co-founders, Todd McKinnon and Frederic Kerrest, still run the company. Prior to founding Okta in 2009, they both worked at Salesforce (CRM). Todd ran engineering there and Frederic focused on sales and business development. As Salesforce and other companies were emerging in the SaaS space, the two saw a need to securely manage access to all these apps for enterprises. Out of this, Okta was born.
Both co-founders have CS degrees and were very involved in the initial design of the Okta platform. Having a technical founder who is still running the business is one of my most important criteria in selecting software stack companies for investment. This is because they deeply understand the problem space, have a “builder” mentality and can establish credibility with the internal technology organization. Okta has two co-founders that meet this criteria and are still clearly running the company. This is very similar to other software stack disrupters, like Datadog, Elastic and Twilio.
Besides the co-founders, Okta has a strong leadership team. Here are some other key players.
- Bill Losch – CFO. Bill joined Okta in 2013, well before the IPO. Prior to Okta, he was the CFO of MobiTV for 6 years. He also held CAO roles at DreamWorks and Yahoo!
- Charles Race – President. Charles runs the worldwide field operations organization, which includes sales and all the support functions. He joined Okta in 2016. Prior to Okta, he held similar roles at Informatica for 11 years. He also has a CS degree.
- Hector Aguilar – CTO. Hector has been with Okta since 2012. He is responsible for all engineering and technology operations. Prior to Okta, he spent 10 years at ArcSight as VP of Software Development for all networking products. ArcSight was acquired by HP in 2011. He has a MS in Computer Science.
- Diya Jolly – Chief Product Officer. Diya has been with Okta for a year and leads product innovation. She spent 8 years at Google prior to joining Okta, in various product leadership roles. She also spent time as a product manager at Microsoft.
- David Bradbury – Chief Security Officer. David literally just joined the Okta team (announced April 28th). This is a huge addition for Okta. David has a long career focusing on security solutions. Most recently, he was Chief Security Officer at Symantec, which included responsibility for secure cloud operations. Prior to that, he held security roles at several major banks, which should help convince these enterprises to adopt Okta’s solutions.
Take-aways
Okta (OKTA) addresses a huge market and currently holds a leading position. The Q4 and FY20 earnings results were strong and FY21 targets appear promising, particularly as we received some preliminary feedback in the midst of the COVID-19 outbreak. In considering OKTA for an investment, I think these factors stand out:
- I like the expansion into Customer Identity use cases, as this has effectively doubled the TAM and introduced Okta to new buyer in the IT organization. More importantly for me, Okta has established themselves as a software stack provider, with their easy to use platform services and complete API offering. This has propelled them out of being a pure security and productivity play into delivering a critical software component (identity) for every modern consumer-oriented application.
- The secular tailwinds driving the need for Okta’s solutions should continue for the next 5-10 years. These include distributed workforces, cloud migration and digital transformation initiatives. Enterprises will need help addressing all of these and timing has been accelerated in some cases due to COVID-19.
- Okta’s competitive position is strong in a large addressable market. The Gartner placement is exceptional and reflective of Okta’s broad vision and strong execution. Network effects from having the most integrations, customers, devices and use cases will continue to allow them to optimize and expand their product offerings. This will keep the competitive moat wide and defensible.
- The go-to-market strategy will continue to drive growth in large customer adds, through internal efficiencies, the partnership channel and international opportunities.
- The leadership team is deep, with two technical co-founders continuing to lead the company. Recent additions have also built credibility, particularly the new CSO.
- Financials are reflecting the strength of execution. Okta is delivering consistent revenue growth in the 40% range and continued improvements to the bottom line. FCF margin is positive and operating margin is trending up. Growth in RPO will ensure high revenue generation for several more years. The cash position is favorable as well.
- Okta has several future product growth opportunities driven by their data collection and platform capabilities. These include fraud detection services, consumer consent management and a centralized data privacy store. Also, having a presence on customer devices (Verify) and infrastructure (ASA) could lead to some interesting offerings in productivity, security or observability.
While Okta is performing well, there are a few areas that investors should monitor:
- Microsoft bundling of Office 365 and Azure AD. This strategy puts Azure AD in front of a lot of enterprises. While the basic level of Azure AD is limiting, some customers may not object to the Premium upgrades. This could cut into Okta’s Workforce Identity product adoption in the Global 2000, although that doesn’t appear to be a limiter yet. Also, Microsoft might decide to invest more heavily in Azure AD, or acquire Ping Identity, to improve their offering.
- Okta is counting on a lot of growth from Customer Identity solutions. While I think it is a smart move, customer adoption may take longer than expected. Dev shops in enterprises might not appreciate the risks or overhead and roll their own identity solutions.
- DBNER of 119% is good, but not as high as other top SaaS companies. Leadership attributes this to larger initial lands, but is something we should watch as an indicator of the expected expansion motion to drive future growth.
At Okta’s Investor Day in early April, the CFO reaffirmed their FY2024 guidance provided previously. This targets a long-term financial model with a four year average growth rate for revenue in the 30-35% range and achieving 20-25% FCF margin by FY24.
Investment Plan
Okta is a leader in a large, increasingly critical addressable market. Enterprises cannot afford to have their employees’ or customers’ identities compromised. Given Okta’s rapid product development velocity, cloud-neutral posture and broadening network effects, their competitive position is defensible. Combined with a strong go-to-market strategy and new customer growth opportunities in the G2K and internationally, Okta should continue high revenue growth for several years.
OKTA’s current enterprise value is about $17.9B. FY21 revenue guidance is $775M for 32% growth. Coming off a quarter with 45% growth, I think they can outperform for FY21 and hit $800M in revenue, which would represent growth of 36.5%. This is half the outperformance of FY20. Further, if I assume 35% growth for FY22, 32% growth for FY23 and FY24, and 30% for FY25, this yields about $2.45B in revenue by calendar year 2024. For 30% revenue growth and 25% cash flow margin, a comparable valuation metric could be borrowed from ServiceNow (NOW). With revenue growth in the low 30% range and FCF margin of 29%, NOW has an EV/Revenue of about 18. Applied to OKTA, this would imply a slightly lower ratio, like 16. With $2.45B in revenue, OKTA’s enterprise value would grow to $39.2B by FY25, or a factor of 2.2x current EV. Applied to stock price around $150 yields a 5 year price target of $330.
OKTA is richly valued currently, with a trailing EV/Revenue ratio over 30. This may limit near term upside, as the stock grows into this valuation. Over the long term, the company represents a safe bet with potential for more upside as new revenue streams manifest. OKTA should continue to deliver for investors with a multi-year horizon interested in owning this critical segment of the software infrastructure ecosystem.
I have never read this much in depth analysis on IAM both on micro as well as Macro. Being a software engineer I simply recommend to read everything from this blog SSI. Kudos and simply super job 👍
Information and details you cannot find in any report .. super job many thanks
Amazing depth to this report on Okta, one of my favourite companies. . Kudos!
Thanks SSI again for a great article!
You talk about competition from Microsoft but i think there is also a good chance MSFT just buys up OKTA instead of investing the resources to compete.
“However, given that Microsoft has vast financial resources and deep customer relationships, we should keep an eye on major developments from them.”
Thanks for the feedback. Fair point. At a $22B market cap, OKTA might be a little on the large side for an acquisition, but anything is possible.