Okta: Credibility Has Been Smashed

Summary

• Okta shocked investors and customers by delaying a response to a Lapsus$ hack by two months.
• We believe that OKTA stock could remain in the penalty box in the near term.
• We discuss why investors should avoid OKTA stock for now.
• I do much more than just articles at Ultimate Growth Investing: Members get access to model portfolios, regular updates, a chat room, and more. Learn More »

Michael Vi/iStock Editorial via Getty Images

Investment Thesis

Okta, Inc.'s (NASDAQ:OKTA) highly embarrassing security incident in January involving a breach through its third-party provider Sitel by hacking group Lapsus$ impacted its stock. However, some Street analysts did not consider the hack as "material" on its forward projections. For example, BTIG retained its Buy rating on Okta, believing the impact to be "small." It added (edited):

We have done a lot of independent fieldwork to better understand the implications to Okta from the company's recent third-party breach disclosure.

We also conducted a survey of 25 Okta customers. Therefore, we believe that any impact from the breach will be relatively small and contained within FQ1.

Still, there's modest potential for risk on new customer additions. That said, we believe the headwind will be relatively small and abate within three months. Furthermore, we see little to no risk in existing customer expansion initiatives or churn. (The Fly)

However, we remain unconvinced. We think the credibility impact from Okta to provide timely disclosure has riled several customers and notable cybersecurity providers/partners.

Furthermore, Okta is not the only leading IAM/MFA player in town. For example, CrowdStrike (CRWD) highlighted that it works with several identity partners, including Ping Identity (PING), Duo (CSCO), CyberArk (CYBR), and Google Authenticator (GOOGL) (GOOG).

Therefore, we think Okta's delayed response has severely impacted its credibility. Notably, management's response certainly didn't do justice to its stock's implied growth premium.

Investors should also note that IAM/MFA providers have consistently traded at a considerable discount to OKTA stock. Hence, we believe that OKTA could remain in the penalty box in the near term.

Okta Riled Its Customers For Its Delayed Response

Okta's embarrassing incident has caused a stir among its customers that used it as an identity provider. The impact wasn't so much about Okta getting breached. Breaches have happened to security providers, and even Microsoft was also breached recently. But Okta customers were justifiably upset with the company's best practices regarding such disclosure.

Cybersecurity partner Tenable (TENB) was "infuriated." CEO Amit Yoran articulated (edited):

Two months is too long. This compromise should have been disclosed when Okta detected it in January or after a competent and timely forensic analysis.

No indicators of compromise have been published, no best practices and no guidance has been released on how to mitigate any potential increase in risk. As a customer, all we can say is that Okta has not contacted us. And, to the best of our knowledge, we are not affected by the breach. Out of an abundance of caution, we are taking what we believe to be logical actions to minimize exposure.

Trust is built on transparency and corporate responsibility, and demands both. I’ve been in the space long enough to know that security is imperfect. Even Mandiant (MNDT) was breached. But they had the fortitude and competence to provide as much detail as they could. And they remain one of the most trusted brands in security as a result. (Amit Yoran's LinkedIn)

Furthermore, Cloudflare (NET) was also visibly upset at Okta's initial response. CEO Matthew Prince articulated (edited): "Can anyone who's gotten a satisfactory answer to #Log4J, #Lof4Shell from Okta raise their hand? We certainly haven't. #rottenfishstinks." Prince then assured Cloudflare's customers that none of its customer accounts had been compromised. In a subsequent post, the company further clarified that it only used Okta for their internal employee accounts, but not for external customers.

Given Prince's exasperation over Okta's response, we don't think NET will even consider using Okta for its customers moving forward.

Unprofitable Business Model Leaves No Room For Compromise

Okta revenue YoY change % and GAAP operating margins % (S&P Capital IQ)

Okta reported robust revenue growth in its recent FQ4 earnings report, reaching 63.2% on $383M in revenue. However, its GAAP operating margins demonstrated that the company is nowhere near profitability, despite its growth.

Moreover, such a growth-focused strategy could work against Okta moving forward as it needs to work harder to convince customers on the sidelines given the loss of its credibility. As such, onboarding new customers could be increasingly costly, further impacting its weak bottom line.

Therefore, we think its weak fundamentals don't bode well for Okta until it thoroughly addresses its best practices on material disclosures moving forward.

We encourage investors to pay attention to how its key customers react to such guidance. Notably, they should also observe how its cybersecurity partners work with Okta moving forward. We think these players have a massive influence on the integration with Okta, given the multitude of options available. CISOs deliberations would most certainly involve inputs from cybersecurity players like Cloudflare and CrowdStrike moving forward.

Notably, Cloudflare and CrowdStrike partner with Ping Identity in its Critical Infrastructure Defense Project. Therefore, we believe PING could feature more in their discussions with their customers. As Cloudflare and CrowdStrike investors ourselves, we are glad the duo didn't pick Okta for its project.

Is OKTA Stock A Buy, Sell, Or Hold?

OKTA stock NTM revenue comps (TIKR)

OKTA stock consensus price targets Vs. stock performance (TIKR)

OKTA stock's growth premium has certainly been digested significantly. But, it's not surprising given that the market has consistently accorded a much lower premium to its IAM/MFA peers, as seen above. Nonetheless, it still traded at a premium, and we believe it could remain in a range or move lower.

Given lower peer multiples and a lack of management credibility, we think there are insufficient near-term catalysts to re-rate OKTA stock.

Investors should also be wary of using the average price targets ((PTs)) to add exposure to OKTA stock. The Street has gotten it "horribly" wrong over the past year, as they continued to revise OKTA stock downwards.

As such, we rate OKTA stock at Hold.

Analyst’s Disclosure: I/we have a beneficial long position in the shares of NET, CRWD, GOOGL either through stock ownership, options, or other derivatives. I wrote this article myself, and it expresses my own opinions. I am not receiving compensation for it (other than from Seeking Alpha). I have no business relationship with any company whose stock is mentioned in this article.

Comments

[JR Research]

This thing just broke its previous week's swing lows. Let's see if it can head to 2018 lows. When a company is deeply in the red, anything is possible.

[JohnnyM]

Now weeks after the so called breach, we have the #1 cyber security co trading sub $150.

Yes, we can toss the unprofitable fearful term out there for effect but must remember how pricing works.

OKTA was no different trading at $260+ but now that it became a reasonable entry, it's still viewed as risky?

$$$ mgrs have been accumulating stock off lows while the algos keep the deception alive.

We invest for the future and many will take advantage of the buy opps quietly.

ST PT. $155-$165 When the shift occurs.

Other cos are worth adding too on this environment.

Happy Easter!

[jeffk100]

@JohnnyM now under 120. valuation matters hugely in this market, as it always should have matter until the fed and gov turned the market into a joke

[DaSauce]

Lol you mentioned Google Authenticator, an open standard based OTP tool, as an Okta competitor. All credibility lost.

[JR Research]

@DaSauce This has been discussed below in other comments. And like we said earlier, Google Authenticator as a "leading" MFA tool was highlighted by CrowdStrike. Furthermore, Okta is still unprofitable. Let's see when they turn profitable after this. They might need to "burn" even more cash to onboard new clients, else they can't maintain their "break-neck" growth. Meanwhile, keep on giving them cash to burn, while they issue more stock based compensation to dilute your holdings.

[DaSauce]

@JR Research Google Auth was mentioned as a factor for OTHER identity providers. CS not the first to do this. Agnosticism across the board, in this case, supporting many 2 factors options including soft tokens (like Google Authenticator, commoditized feature) is core of Okta’s business model - it’s hoe they rip out legacy Symantec and RSA.

Maybe this will put it in perspective: no one pays for Google Authenticator. You can go download it on the App Store right now for free. It’s identity providers ppl pay for. Okta has always allowed for any 2Factor as they correctly view identity and the contextual policy engine governing the timing and events driving USE of the factor as the strategic piece. Take the hack they mitigated. Contextual policies caught that. And Google, like Microsoft, tries to bundle a solution here but it’s even more immature than Microsoft’s. With enough brute force workers you can get Microsoft’s approach to work, though it’s more complex than Okta due to its ties to legacy tech. Google is half baked. But even comparing the right solution (google workspaces security bundle, not Google authenticator), your statement shows you’re off the mark.

2 players here, Okta and Microsoft. And they pretty much have the market cornered. Ping for certain CIAM legacy use-cases but that’s it.

Your argument is flawed, and saying someone else said it to distance yourself (Crowdstrike) when you used this source to justify your take doesn’t make your take any less wrong.

To your point about profitability, they are ramping up international growth and just made a massive acquisition. And based off international results, it seems to be working. This happens in the B2B tech space l, see ServiceNow and CRM. If you’re confident Okta can get to the operating margins they had pre acquisition of Auth0 with similar growth (30%) at 3-4 billion, that shouldn’t be a long term concern.

I’d just buy both Microsoft and Okta. Don’t have to pick the winner, follow the macro trend.

[fmerkin]

@DaSauce good stuff. I didn't know Google has an enterprise SSO product. Agree that it is a 2 horse race... the bundle vs the best of breed.

[Kerfuffle Finn]

Skipped the investment as the customers who say they run Okta all make want to quit IT due to their unusable SSO. Could always be the customers’ fault, but I don’t have the expertise to judge so I considered it as a cockroach in the kitchen.

The delayed reaction here is me looking under the sink.

[Kennan Mell]

I wonder if this author has ever actually used Okta’s product. Comparing it to Google Authenticator and Cisco’s Duo is a bit misleading. Okta’s main competition is Microsoft

[JR Research]

@Kennan Mell We didn't say it, we merely highlighted what CrowdStrike indicated. You should ask CrowdStrike CEO George Kurtz. Given his roots in security, he surely knows better.

[Kennan Mell]

@JR Research Hm, the direct quote is omitted so I can’t say for sure but I would be surprised if he claimed that the partner integrations are mutually exclusive. For example, I use CrowdStrike, Okta, and Duo together at my day job. Duo for MFA, Okta for SSO

[JR Research]

@Kennan Mell Quote: "...Finally, a multi-identity vendor security approach gives enterprises the flexibility to choose their MFA provider. CrowdStrike Falcon Identity Protection enables out-of-the-box integration with most leading MFA providers — including Okta, Duo and Google Authenticator..."

[ssadaran]

Good article thanks.

As per OKTA "We are a trusted partner to businesses around the world and give our customers the confidence to reach their full potential." However a bunch of kids 16 - 21 years old broke thru their security . Does not say much for the security.

Wonder what traders are doing driving the stock up today though.

[JR Research]

@ssadaran You are welcome! Indeed, embarrassing for a bunch of kids telling a cybersecurity player that its platform was weak. At least when NVIDIA got hacked by Lapsus$, CEO Jensen Huang was upfront, saying it was a "wake up call." See: finance.yahoo.com/...

But, Okta management took two months to wake up. And being all that defensive, until several brickbats compelled them to issue an apology subsequently. That's not a best practice guide we would expect from a "top-notch" player. Sounds amateurish.

[fmerkin]

@ssadaran the hack was via RDP into a contractor's PC. That is endpoint device security which Okta doesn't do. From that standpoint, this was not a failure of the Okta product and due to the implementation of internal least privilege principles, the attackers were only able to *checks notes* take screenshots of L1 access to an internal tool. The attackers could have reset customers admin's passwords - but that would just initiate a multi-step process which would have alerted the customer admins to something fishy going on. To describe an attack that was successfully contained is not a "broke through" situation.

Now, should Okta tighten device security for contractors? Definitely. Should they have communicated this better? Definitely. They should have notified customers immediately. No disagreement there.

[canyon]

@fmerkin
But your facts are ruining the narrative of the Okta haters.

[ndardick]

Well reasoned and well written. I exited OKTA myself because, in a non-bull market and rising interest rate environment, I learned to react to bad news faster than to good news.

[JR Research]

@ndardick Thank you!

[necto]

I don't think trust has been broken. keep it long.

[Terry Eger]

Okta hired a President/COO. She hired a Chief Revenue Office from old company where she was Chief Revenue Officer. Old Okta sales team is leaving in droves. Question is can he bring in the talent to replace them. Suspect Okta will have a good quarter. Question is what about a quarter or two from now.

[JR Research]

@Terry Eger Makes sense.

[Puche]

I respectfully disagree with this article. Since going public in early April 2017 at around $17/share, OKTA has done nothing but deliver incredible growth and stock performance. As an early investor in OKTA I have followed the story extremely closely. I have also written about my views often on other SA articles. No doubt OKTA stock price back a year ago or so had gotten out ahead of itself. The recent acquisition provided additional uncertainty to investors. However, IMO OKTA's recent acquisition is going to turn out to be successful. IMO OKTA will continue to deliver low 20s to high teen growth for the next few years. IMO OKTA's balance sheet will continue to strengthen and its FCF, once the cost of implementation is behind it (within the next 12 months or so), will increase materially.

For long term investors who have the patience and wanted to potential increase their OKTA position, the recent pullback gave you an opportune entry point. IMO over the next 5+ years, OKTA's stock performance will deliver solid results. I'm confident that over my 10 year holding period at that time I will be extremely pleased with my OKTA returns. I continue to utilize derivatives to manage my risk, lower my average price and buy the stock cheaper than the current market. As I disclosed, the hedge that I put on last year has been taken off of OKTA as I expect the downward level to be reaching a bottom. Yes, it can go down some more. I'm not smart enough to call the absolute bottom but after the solid consolidation and my hedge working extremely well, it's time to be more opportunistic about OKTA's upside.

Of course this is just my two cents. No issue with anyone that has a different. view. Slow and steady! Good luck to all!

[JR Research]

@Puche Thanks for sharing your opinion! Let's see how management copes with new customers. That's more critical moving forward. We don't think Okta would be the same post-Lapsus$ hack. Customers will not forget, because its cybersecurity partners will remember. And they might not choose Okta for integration.

[DaSauce]

@JR Research you wrote nothing about the actual hack in your article just quotes inflammatory quotes with no security details. Misleading your followers.

[JR Research]

@DaSauce The details have been well covered, we don't need to rehash. What matters is what's next, and that's what we have shared. You don't have to agree with what we said, and we are fine with that.

[dgiinvestor]

Never impressed with $OKTA before. Might get interested circa $100.

[JR Research]

@dgiinvestor $100 would be pretty nice.

[pyrite99]

This stock has pumped from $130.00/share in April of 2020 until $290.00/share in February 7, 2021. OKTA is still unprofitable, but just wait say the pumpers. It has sooo much growth. Operating expenses 28% above revenue ttm.

[JR Research]

@pyrite99 Indeed, the CEO is going on Bloomberg TV later to try and pump the stock: twitter.com/...

[alphapecunia]

Presenting Google Authenticator as an alternative to OKTA ... ok boomer.

[tzwizard]

@alphapecunia lol

[dgiinvestor]

@alphapecunia My employer did just that. Last year.

But, go ahead and buy fractional shares of all the money-losing stocks the Robinhooders are buying.

[alphapecunia]

@dgiinvestor Smart employer

[indiffer3nce]

Monday FUD.