Skip to main content
interview

A Conversation with Okta CEO Todd McKinnon

The digital identity company recently announced it would acquire Auth0 for ~$6.5 billion
article cover

Francis Scialabba

7 min read

Okta is the biggest company in digital identity. OK great, but what does that mean? Essentially, it helps customers securely authenticate employees or customers.

We wanted to hear about the future of safe passage on the information superhighway. So, we sat down with Okta CEO Todd McKinnon to chat about that, his company’s recent mega-deal, and more.

NB: This Q&A has been edited for clarity and length.

How do you define identity? What do you tell the average person that Okta does?

It goes back to the vision of our company, which is not really about identity. It’s about helping anyone safely use the technology they want to use. We help companies connect their users to all the technology they need to run their business.

The majority of our business—roughly 75%—is helping employees login to apps at work. About 25% is helping customers help their customers log in. If you go to the MLB app, for example, to check out baseball scores, that log-in is through Okta. It’s almost baseball season, Ryan. [Editor’s note: The conversation took place on March 24.]

It is. Opening Day is almost upon us. As for the identity part?

The identity part is passwords, two-factor authentication, and the security and privacy of your information. Helping enterprises also means helping consumers use technology. As we get more and more customers using us for customer identity, that’s more and more consumers using Okta. You can imagine a world where you use Okta not just for work logins, but for all your websites. It starts to become the digital identity on the internet.

Is there a difference between building for enterprise employees or consumer end users?

There’s different implementations of it, but the main idea is the same: Super easy for the end user. Make it clear to them why it’s secure and where their information is going. Make it clear to the business that the right user is logging in.

Auth0, is, uh...That’s a large acquisition. Can you walk me through the rationale behind the deal?

From our roots, our approach started with employee identity and selling that platform to leaders in companies, like CIOs or CSOs [chief information officer; chief security officer]. Now, we say: ‘We have thousands of customers who trust us for employee identity, you should trust us for customer identity.

Auth0 came to market very differently by building a developer platform, kind of like Stripe or Twilio. The functionality is similar—a directory of users and single sign-on or multi-factor authentication protocols—but from the ground up, it was all built for developers. So, really, what you get is two parts of the market. Together, we can serve customers however they want to buy and use these services. That’s why it’s so strategic for us.

Do you think there is more consolidation ahead in this industry?

I do. Identity and, broadly speaking, security, are pretty fragmented. I definitely think there's more opportunity for M&A and consolidation. From the CIO’s or CSO’s point of view, the array of stuff you have to evaluate and buy is kind of dizzying. At the end of the day, it’s about making it easier for them to stop worrying about these details and get back to the stuff that actually moves the needles on their business.

Morning Brew doesn’t want to directly worry about all this. Morning Brew cares about subscribers, great content, engagement, and at some level, advertising.

The Brew is transitioning to an organization with more process and documentation, and that includes more robust security measures. As someone with a Yubikey, I know why that needs to happen. But there are pain points. The more steps involved in digital hygiene measures, the less incentivized the average user is to go through those steps voluntarily. Right?

It's a mess today and not integrated. For example, you have a great login mechanism—Face ID—on your phone. Why can’t you use it everywhere? Because it’s not integrated, right? Apple doesn’t know about all your apps. It’s really difficult for developers to write code that identifies the feature, it needs to be iPhone-specific, and it has to be installed.

Keep up with the innovative tech transforming business

Tech Brew keeps business leaders up-to-date on the latest innovations, automation advances, policy shifts, and more, so they can make informed decisions about tech.

As an industry, we’ve just done a crappy job integrating everything. We have a catalog of all these applications, over 7,000 of them, integrated into the platform. Our vision ultimately is just making everything more integrated, so that by the time it reaches the end user, it’s not even a choice. Face ID just works. But we’re far from that point, and we have a lot of work to do.

What’s your take on login services from Big Tech companies?

They're helpful in some cases, but the problem is that they're not integrated comprehensively. For example, you can’t use your Facebook on a lot of banks. Facebook doesn’t really have a reason to get banks to use their log-in. The banks don’t want that brand association.

On the consumer side, there’s also a trust problem. You probably don’t want to use Facebook for a lot of things. I think ultimately what we need is a standard or company like Okta that's not monetizing from selling ads. I don't want to get into if I think that's evil or not.

Yeah, we don’t need to do that today. I don’t know if you caught the recent Motherboard story—“A Hacker Got All My Texts for $16”—which highlighted a pretty big vulnerability in SMS. What are your views on SMS-based two-factor authentication?

There's always a balance. Nothing's perfect. Everything could have vulnerabilities. At some level, if the vulnerabilities are infrequent or esoteric enough, the value of having the factor outweighs the vulnerabilities. SMS is reaching a point where it's getting close. The value of having it is getting close to being outweighed by the vulnerabilities.

A lot of issues aren't even technical. It’s process stuff, like resetting the phone number with the carrier, the SIM card, and all that. That’s why platforms are offering different options, like Yubikey or the push services. They’re not perfect, but they’re better than SMS.

My last question comes courtesy of Justin, a developer friend who writes the Technically newsletter. What do you think about newer authentication methods outside of single-sign on? Think magic links, biometrics, et cetera et cetera.

They're really important. I think more apps should use them. I love that whenever I go to PayPal, I just get a magic link. I just say ‘send me an email,’ they send me an email, I click on the link, and it works. But this goes back to that point about integration. If there’s good developer APIs for the builder of that app, newer methods are easier to do. But that’s not always the case.

People ask me about new factors or new types of biometrics a lot. They’re great, I think we should have tons of factors and they should all be integrated. I should let the developer or the customer choose which they want to use.

That’s at our core. We’re really an integration company, building this logical map of all the devices, all the apps, all the users, and the policy of what can connect to what based on assurances. But I would never start with that description at a party, Ryan. You know what I say?

What?

I run a company, it's called Okta. They ask: ‘Oh what is Okta?’ and I just say ‘Oh, it’s cloud security stuff.’

Abstracting away the complexity is key. Anything else you’d like to add on the cloud front?

Identity was never an independent thing before. It was a feature inside of larger legacy companies. We’re the only company that’s ever built a public-scale, billion-dollar revenue company around identity. When we started, the people I pitched the company to said: ‘This is not a big enough problem to make an independent company.’

What’s different now? Two things: 1) With everyone using SaaS and cloud, there’s ten times more apps. Back in the day, a company had email and a few apps. Now, there’s like a thousand. 2) As everything got so much more accessible, security implications became this second-order effect. The importance of verification and authentication increased by ten times.

Keep up with the innovative tech transforming business

Tech Brew keeps business leaders up-to-date on the latest innovations, automation advances, policy shifts, and more, so they can make informed decisions about tech.