Joshua Tilton

All right. Welcome everyone to our Second Security fireside chat of the second day of March Madness. We are super fortunate to have in attendance with us Eugenio Pace, CEO of Auth0; and Todd McKinnon, CEO of Okta. Look, the chat was originally supposed to be with just Eugenio, and the goal is to still keep most of the time dedicated to Auth0. But given the news out yesterday, Todd did reach out proactively to jump on the call and kind of address investors head on. So Todd, Eugenio, thanks for joining us today.

Todd McKinnon

It's great to be here. Thanks for having me.

Joshua Tilton

I am going to kick it off with some few questions for Todd. Before we move to Eugenio. But guys, again, this time is for you. So please ask questions through the chat box. Management only request that you keep them focused on the Auth0 side of the business. And then also you guys know the drill by now, we're sending out a quick three-question survey at the end. This is for feedback from management, it's important to them, it's important to us, so please, please fill out the survey.

And with that, let's kick it off. So, Todd, thanks for jumping on.

Todd McKinnon

Yes, for sure. No problem, for sure.

Joshua Tilton

Great. We all saw the news out yesterday. But just kind of give us the lay of the land, what exactly happened? Was it a breach? Was it not a breach, some are calling it a compromise? What exactly occurred? And just why not give us some more insight into what was going on back in January?

Todd McKinnon

Yes, for sure. So what happened was there, we had a sub processor, it's called a sub processor. It's a -- it's like an outsource support team that help us supplement our support of Okta customers. And in that support center, there are about 40 support agents that take calls and do tasks for things like password resets and filing cases and looking up solutions for cases and things like that. And that support center had a breach. And they got -- the hackers got into that support center and got access to those computers and were able to view and control the computers. And so the implications for Okta that it's essentially that whatever a support person could do, or support engineer could do, the hackers could do on their behalf. And so the blast radius of that is constrained to the permissions that that support engineer has.

So that's what we've been really focused on is, is now first of all, we've been focused on customer communication and making sure that customers understand what's happening and understand the dependencies and the impacts to them. And based on the access that those support engineers have it kind of drives all of the downstream impacts.

Joshua Tilton

And just, for investors, the way to think about these support engineers, they're kind of limited.

Todd McKinnon

And yes, it's like a kind of a Tier 2 support, which is low level support.

Joshua Tilton

Great. And then you said you're focused on the customers. Just talk to us about the first 24 hours since the news drop, obviously, we saw a lot of focus around MFA, some people possibly need to reset passwords. I think someone even mentioned Log4j. But aside from that, how was the initial reaction been from customers, and even maybe some prospects?

Todd McKinnon

The reaction is just one of collaboration; they want to understand, like, all of their technology and their stock. They want to understand the dependencies and the risks and how it fits together. And so our focus has been on giving them as much information as fast as possible, and whether that's through direct customer interaction, or whether that's through blog posts, or whether that's through various other channels, CSMs, et cetera.

And that's the spirit, it's like, here's what we know. Here's how it's evolving, here are the risks. Here are the whole situational awareness and to help customers manage through all issues because we're - we work with customers on security issues that they're having in their environment that Okta can help them solve. And so this relationship where we work with customers on triaging through these things is something they value in us. And when a situation like this happens, it's no different. They want to work with us to figure out the impact and how they can mitigate it and move forward.

Joshua Tilton

And we saw a lot of those blog posts, the communication you were putting out yesterday is the way to think about it? And like the customers understand that this is still evolving, is case closed at all behind us, like where are we in that process?

Todd McKinnon

Yes, I think these are I mean, you could imagine that we're very, we have a whole team that is totally focused on security. So the team is, it's continuous. They're always looking at all issues and threats and opportunities. So clearly, they're focused on this. This is their major focus. And it will be that way for a while just to make sure we understand everything happened ever done every last detail, every implication every customer impact.

You saw in the blog post we released last night, one of the things we're doing is we're actually - there's only in the timeframe when this was an issue back in January, which was a five-day timeframe in January. We know - we log what all of those support engineers do. And so we know which customers they interacted with, whether it was the hacker doing that, or whether it was the customer or the customer support agent. So we know the exact number of customers that theoretically had anything, their environment, their Okta users potentially viewed or a password reset or anything, so we can tell them exactly what happened. And that's what we're in the process of doing now.

Because the way the system is designed, there's - the hacker can't see the passwords, and they can't receive the resets and they can't. So that's - the system is designed like that. So it really constrains what's possible from a risk perspective, which is one thing that customers find really comforting.

Joshua Tilton

Right. So it seems that even though a service engineer had access to very limited into what they can see from a customer data perspective.

Todd McKinnon

Yes, really they can just see the users. Like the list, like a user ID.

Joshua Tilton

And when we kind of look how fast this initial news release, obviously, you guys aren’t updating the guidance, but how should investors think just about the potential impact if at all the sales cycles and maybe just the future growth trajectory over the next 12 months?

Todd McKinnon

We are very confident in the growth trajectory. I think we’ve built the company with this partnership with customers for a long time. And I think that customers are – if you’re running the business today it’s one of the reasons we’re so successful is because there is so much technology and we do such a good job helping them capture the value of that technology. And part of that is a collaboration through new initiatives, through potential issues and I think they will see that we are really strong partner in that regard.

Joshua Tilton

And kind of just doubling down on that last comment, we have spoken to some customers since the news drop, like what is your number one initiative to kind of reinstil confidence in your customer base and future potential customers that they should still be trusting Auth0 with their identity needs going forward?

Todd McKinnon

Well I think it’s always been our number one, our number one continuous ongoing priority. It’s customer success and trust and confidence in Okta. It’s really important to our brand and we’ve built a very, very strong brand around this and I expect that to continue.

Joshua Tilton

And just kind of very quickly before we do switch gears over to Eugenio and Auft0. My last question for you is just – is there anything else that maybe I didn’t ask about that you kind of want to tell investors or they should know regarding kind of last 24 hours and the news et cetera?

Todd McKinnon

No I think we covered it. I think you have a – and when I talk to customers the other thing maybe the sentiment is that they really know to be successful. They need partnerships. They can’t do it on their own. The vendors have to work together. The vendors have to work with customers. And I think that we’re – you asked about priorities, the top priorities making sure we continue to maintain that relationship, and that trust and that confidence that we’re working hard for them.

Joshua Tilton

Well, Todd, thank you for jumping on last minute.

Todd McKinnon

Yes, sure. I’m happy to join you. It’s nice to see you.

Joshua Tilton

I know investors definitely appreciate it. But now actually, I think we’re going to talk to the star of the show. So Eugenio, maybe some easier questions. I did just kind of want to start off high level. We are still in very early innings of this very, very large customer identity access management opportunity. But how would you characterise the demand environment now they are almost three months into 2022. And maybe just how does that demand environment compared to a year ago, and even pre-COVID?

Eugenio Pace

Well, demand has been sustained strong, strong throughout. Through COVID, through last year as we were going through our integration as becoming one company. And I think there’s clearly a need for the problem that we solve and even more so in a world where more and more of our lives more to a digital world. And if you think about your day in your life professionally and personally, how many times you don't need to prove who you are to technology? Very few. It’s very, very few, if any application that doesn't need to know who you are, and based on who you are do things for you differently, perhaps. And so, it's a - demand has been very strong. And it's - this even a more realization as companies continue to transform digitally moving forward.

Joshua Tilton

And we've sort of been asking everyone, we posted a fireside chat with this question. But there's a view that the pandemic may have accelerated some demand for certain areas of software. Did Auth0 experience any pull forward of demand, maybe as organizations kind of all of a sudden spun up all these apps during COVID, because that was the only way to service their customers in this new norm?

Eugenio Pace

Maybe there's been some tailwinds, I would say. But I wouldn't say that it's a - that it's - it was like a massive acceleration. I think now, there's a realization that we're behind. And if you look again, at the world surrounding us, most applications are still struggling to provide a great user experience when it comes to authentication. Now, there's been this tension throughout history between security and user experience. You can have a very, very secure application that prompts you for credentials every five seconds, which is a terrible user experience. Or you can have like no security at all, it's great user experience, but not very secure. And so we look at this world as being at odds. And part of what we do is precisely this maximization of these two variables that seems to be adults.

And if you look at the what systems are doing today, they are now great in user experience. And I know you, but I'm sure you have, like many, many, many passwords still in a world where you can - you don't have to use passwords anymore. There’s technology that will allow you to not use passwords at all. How come nobody is using that? Or how come the vast majority of companies out there are still not doing that? Well, that's what's propelling our business as well. It's taking them to 2022.

Joshua Tilton

And so it sounds like demand is strong, we might even be behind. And you guys have this awesome tech to kind of figure out how to make my user experience much better and secure. I want to touch a little bit on the competition. We've always heard from you guys that it's kind of this buy versus build scenario. But what would you say are some of these like key drivers that are causing more customers to outsource this aspect of their application build Auth0, instead of how they used to do it in the past and kind of build it in-house?

Eugenio Pace

Yes. So totally the biggest competitor for us, it's a build yourself for whatever was there before because it's very rare that we start with a customer with a greenfield scenario. So unless you're a startup, and you afford to start from scratch, like literally nothing, there's no installed base, there's nothing, there's no legacy. The vast majority of the world has something because it again, authentication, you cannot live without the two biggest drivers, I would say, for choosing an expert like us. Okta, we are experts in this in this domain.

The reasons customers choose us is because first of all, they have other problems to deal with. And so there's an opportunity cost. One hour of a developer, or technologies that is spent building this thing, it's an hour that you're not spending building a better system for your customers, whether it's in financial services, or transportation or healthcare, whatever the domain expertise in whatever they're solving, they all need authentication and authorization. But that's not their core competence or the core concern. So that's one.

And I heard some time ago that there's like a demand for 300,000 developers in the U.S., and we only mint like 30,000 every year, so which means that for the next 10 years, we will not cover that gap. So anything that makes your developers more productive will be a big appealing thing for you to consider and certainly, this is this is one of those.

But the second component is precisely the security expertise and the posture. Because as more and more, more of our lives move to the digital world, there'll be more value there. And it's going to be more attractive for bad agents. And that requires expertise and requires dedication. We are an entire company of 5,000 people dedicated to this single problem, which cannot - it's very difficult to match everywhere else. And so we are going to be providing you a better, more robust, more available solution that you can do yourself and more importantly, faster, because time to market, it's another big important driver.

Joshua Tilton

And what about just from like a pure competition perspective, competition from other identity vendors, which are the well-known players, maybe a Ford truck or a ping you see the most in the market? And what would you kind of describe as Auth0’s like competitive differentiator for why someone is going to choose your solution over competitors?

Eugenio Pace

Well for the last -- my Mum used to work in a data center with a mainframe, and that was like, 50 years ago, don't tell her. But she had username and password, and she used an IBM mainframe. And so there was identity, there are identity systems, since there are computers. So we encounter every brand, every company, every company has something, entity and access management. And so we encounter a lot of them. But a lot of the times these systems, which have been there for ages have not really evolved with the times and with the times that we live in today. And so we end up finding, some of the vendors that you mentioned, but also with lots and lots of code, workarounds and things around to just complement what they were doing out of the box with what they require.

The biggest differentiator in Auth0 and Okta is first of all, we are a company; we're a modern company for modern times. We are cloud native companies, or we were cloud native companies. We're now one company that understands how technology is, how what is today's world in technology and what's coming in the next 10 years. But also more specifically, we focus on perhaps the biggest, biggest change is that we don't, we don't want our customers to become experts in identity. And so if you look at some of other approaches in the past, those products have been built primarily for identity and access management geeks. People who are like want to know the nitty gritty of the standards, and the corner case, use case, we are kind of the opposite. Our main value is that we don't require anybody to be an expert, because we are the experts.

So simplicity of use, is one of the big design considerations for, we can see this both in Okta, in Auth0, it just works. You don't have to spend like six months, configuring and deploying and expensive professional services, all of that it's out of the box, it just works. You turn it on, there's no deployment where cloud, SaaS companies. So simplicity is a big, big differentiator.

The second differentiator, which equally important, but very difficult to do, which is probably why we kind of nailed that component to is the extensibility. Because 80% of a or 20% of the use cases it happened 80% of the time, it just works, you don't need to do anything. But this is long tail of integrations or special cases, which every customer does. And for those, we give you the power to customize and extend the platform, without having to wait for our roadmap. The customer’s is like Excel spread sheets. In Excel spread sheets, there's a lot of formulas that you don't need to enter yourself. The average, it's already built in into Excel. But when you need to do your own formulas, Excel allows you to do your own formula, and put your own essentially code the formula. We have the same essentially the same capabilities in our platform where you can take our platform for common signups, logins, social logins, progressive profiling and a few other requirements in our world. We just give it to you, but when we need something special, you can easily extend it without having to do Frankenstein things.

Joshua Tilton

And you talked about how you were two cloud native companies, you're not one company. But let's go back to how you weren't always part of Okta you were just Auth0. And Okta has their own CIAM solution, which they still seem to kind of be investing in pretty heavily. So how does the Auth0 offering kind of complement existing capabilities from Okta? And if I'm a customer, and I'm buying, am I buying either the Auth0 CIAM features or the Auth to CIAM features? Is there a dynamic where I buy functionality from what used to be both your separate offerings? How do we think about that?

Eugenio Pace

Yes, that's a great question. And I get that question a lot. So we don't seem to be investing, we are investing. Let me be very crystal clear on that. We are investing on both platforms on or on the three platforms if you will. In Okta workforce, in Okta CIAM and in Auth0. And the reason being that between the two, the two platforms are complementary. So you might think that identity and access management is like one thing. It’s authentication and authorization. But there's a lot of nuance, and there's a lot of details, and there's a lot of use cases. So the first big classification is workforce and CIAM. Clearly, Okta has the strongest product in workforce.

Now, if you double click on CIAM, CIAM is actually made up of three clusters of used cases. And so there's one use case, which we call consumer applications, which we all know, because we use them all the time. This is, you go to a newspaper, you buy tickets in an airplane, or watching TV on Netflix that use case, consumer apps. The second cluster is what we call SaaS application. So Zoom will be a great example of that, applications technology that is being consumed by mostly companies. So it's kind of like the supply side of workforce, so is the other side of the coin of workforce, that's another category.

And then there's a third category, which we call external collaboration, which includes both consumer use cases and business cases. But the main difference being that the identity of the individuals interacting with that technology is not self-managed. So when you subscribe to a newspaper, you don't call the newspaper and say, hey, I want to become a subscriber. They don't send your papers to filling or any of that, you just do it yourself, you sign up on whatever website and you did yourself. But when you get a mortgage, or when you do certain operations, that require like some pre-existing relationship with the entity, you don't go to the website and sign up, you just fill forms, you go to a bank, and then you get an online account that it's correlated with that.

That's the world of externally external collaboration. It turns out that Auth0 is optimized for consumer apps, and for SaaS applications, which is where developers, there's a lot of development happening. And we call Okta CIAM, the Okta CIAM platform it's actually optimized, mostly for the external collaboration use case. And so this, of course, like some similarities, in use cases, in terms of lifecycle management, of a managed entity from workforce, that go into manage entities in external collaboration as well.

What I'm saying with this is that, between the two platforms, Auth0 and Okta CIAM we can cover more surface, as customers with use cases in the three buckets that I just mentioned, some of them more than one or the other it doesn't matter. So we're investing in both because with both platforms, we can cover the full spectrum of requirements that our customers have.

Joshua Tilton

And I think one of the main focus from investors as with Auth0 onto the Okta umbrella, there's this natural cross sell opportunity. How would you kind of just characterize how that cross selling has been going with the existing customer base? How successful have you guys been with it today? And just help us understand like, what is the ASP uplift of the monetization opportunity you're seeing as customer starts to purchase across both Auth0 and Okta?

Eugenio Pace

Well, it's still a little bit early because our combined go-to-market teams barely started really, even though we've been formally together for gosh, like nine months now 10 months. The system, sales systems and sales teams have only started working like being one at the beginning of the year. And so it's been early, but it's great to see already customers using, which were workforce customers now purchasing Auth0, Auth0 customers purchasing Okta workforce. So that was already happening. And, our -- we had a fantastic year last year. I think, couple of at least from Auth0 side, what has happened is that if there was any trepidation in larger organizations to purchase Auth0, now there isn’t because we are a public company. We are a company of experts. This has been like the validation in the market that we are the true experts in this domain in the full spectrum of requirements. And so, there's been early wins, which is awesome. The business has not slowed down at all. On the contrary, there's been, we've been able to, to sell into larger organizations, that before maybe we’re a little bit more reluctant buying from a private company like we were. And last year, we were both named leaders in Magic in the Gartner Magic Quadrant, which is another industry validation of, it's not just us saying, Hey, we're leaders, Gartner is saying the same thing. And so it's early, but we are very excited about what's going to happen this year.

Joshua Tilton

And maybe just talk about some of those early wins. I'm assuming it's going to go back to the use case answer but why all of a sudden did these off the customers choose to buy CIAM from Auth0. They could have always bought CIAM from Okta, so what is it that’s driving the cross sell now, when the cross sell could have always existed before Auth0 was under the Auth umbrella?

Eugenio Pace

There's two things I would say. The first one is the, the classification of use cases. And, based on what I described before, hopefully you get a sense that even though we were calling it CIAM, there's three flavors of CIAM. And so customers are doing different things. And we have customers today, they're using all of it, using Okta workforce, Okta CIAM and Auth0 because they happen to have all those use cases under their umbrellas. But there was another aspect of this. What was it the repeat the question for me, please?

Joshua Tilton

But why all of a sudden are the early adopters of Auth0 choosing to purchase CIAM today, when they could have always bought CIAM from Okta. But what's the…

Eugenio Pace

The main reason is a different use case for sure. There’s also an awareness thing. We Auth0 was a couple years behind Okta and now being part of the Okta brand, then all of a sudden, there's already a bigger awareness that we exist. It's a -- this is a big, big market, it's a, depending on who you read, and where it's anywhere between, $30 billion, it's roughly $30 billion of total addressable market. And even combined, we are just a very, very small percentage of that market. And so there's an awareness component of this as what was it? Oh, I didn't know that this existed.

Joshua Tilton

I'm going to rapid fire two questions very quickly, because we're short on time. But we have the sales team unified under Susan. I think everyone could sell everything now. What are kind of some of the key initiatives that you're most excited about to kind of continue to propel the strength that we've seen in Auth0 recently?

Eugenio Pace

Initiatives in turn you mean like in the…

Joshua Tilton

Sales initiatives.

Eugenio Pace

Sales initiatives. Well, our biggest priorities is a global expansion and expanding into the federal market. And so those two are important. Auth0 had a percentage wise, not in absolute numbers, but percentage wise, had a bigger component of an international market. And that's something that we can, it's a big, big opportunity, because the problem we solve is not exclusively in in the U.S., it happens everywhere in the world. Second initiative, it's expanding into a public sector.

Joshua Tilton

And then the next one is from an investor. It sounds like the external collaboration is more a niche use case, then consumer apps and SaaS apps. Is the expectation that the majority of customer identity revenues are going to be driven by Auth0 rather than Okta overtime?

Eugenio Pace

No, I don't I don't think so. The -- it might sound like it's niche, but there's like plenty of customers in that category as well. They also tend to be like a little bit more involved with either regulations because it's financial services and service regulations or, or integration with, more complex back end. So maybe the number in number, you have like a larger number on the other two, because it is two out of three. But they tend to be more, bigger projects as well. So, I wouldn't say that it's, larger revenue on one or the other.

Joshua Tilton

And just the last one from an investor. And maybe Todd could jump in on this one also. For every dollar that a customer pays for Okta, can you guys estimate the value associated with maybe the data or the app telemetry that you guys get from it?

Todd McKinnon

I think it's -- I think it's very valuable. And I think that we're we have a lot of ways we could actually build products to make that value accrue to the customer, actually. It's very generic for us. Basically, we've been focusing a lot on gaining more customers getting more traction, providing more capabilities and building more data. And I think over the next few years, you'll see us spend more time on capabilities that will actually translate that value back into customer value, which will of course increase the value that we can -- the value of providing the value we received.

Joshua Tilton

Amazing guys, I want to keep you guys on schedule. But thank you so much. Todd, thank you for jumping on last minute. Eugenio, thank you for joining us as well. And again, thanks everyone else for joining and being part of this fireside, and we'll speak to everyone soon.

Eugenio Pace

Thank you very much. Thanks for having us

Todd McKinnon

Thanks for having us. Bye.

