Customer Identity & Access Management (CIAM)
,
Digital Identity
,
Security Operations
Okta CEO Todd McKinnon on How SMS Tokens Put Customers in Danger During Twilio Hack
There’s been an unintended effect from Okta’s acquisition of customer identity giant Auth0. It confused its own sales force.
See Also: OnDemand | Data Sharing Espionage: A Fraud Discussion
Okta has a customer identity and access management tool. So did AuthO. When the two merged, the joint sales forces were unsure about which one to try to sell, Okta co-founder and CEO Todd McKinnon told investors Wednesday. As a result, some of the sales force left.
“The sales integration challenges we’ve encountered lay squarely on my shoulders and I recognize we have more work to do to regain our momentum,” McKinnon says. “We’ve taken some decisive actions that we believe will get us back on track.”
Okta hopes to clean up the mess by rebranding its CIAM tool as extended workforce identity, making Auth0 the sole customer identity offering going forward (see: Okta CEO: Hack Didn’t Have Quantifiable Impact on Business).
Simplifying the Sales Process
Although both Okta and Auth0 have CIAM offerings, McKinnon says each product focuses on very different use cases. Auth0’s CIAM tool aims to protect consumer or B2B SaaS applications built by the customer, McKinnon says.
In contrast, McKinnon says Okta’s CIAM product has really been focused on giving partners, contractors, suppliers, customers and employees secure access to email, Salesforce or corporate SaaS applications used internally by the customer. McKinnon says there’s some overlap around use cases that could be addressed by both Okta and Auth0’s product, but two-thirds of scenarios clearly favor one of the tools.
“If you think about what we’re trying to do here with the customer identity cloud and the workforce identity cloud, it’s about simplification,” CFO Brett Tighe told investors Wednesday. “It’s about making it easier for customers to understand where they should go, who they should talk to, as well as for our salesforce to communicate that.”
The combining of Okta and Auth0’s sales teams on Feb. 1 has also accelerated staff turnover, McKinnon says. Okta’s employee attrition has crept up from 15% in the years leading up to the COVID-19 pandemic to more than 20% currently, and McKinnon says the company wants to return to its pre-COVID turnover rate.
The turnover has been even more pronounced among former employees of Seattle-area Auth0, which Okta acquired for $6.5 billion in May 2021. With the integration, McKinnon says Auth0’s go-to-market organization went from selling a CIAM product to the developer community to selling an entire suite of identity tools to everyone from CISOs to product leaders, prompting many to leave for smaller firms.
“We had a super, super aggressive hiring plan coming into this year,” McKinnon says. “And we were really trying to cover all the market and make sure we had every nook and cranny in terms of growth opportunity covered. And that, in retrospect, was a mistake. We should have had more of a moderated growth plan from the beginning to make sure that we could achieve that at the level we wanted to.”
Twilio Breach Highlights Dangers of SMS Tokens
Okta disclosed earlier this week that some customers’ authentication data was exposed by the attack on customer engagement platform Twilio. As a result, the hacker was able to access mobile phone numbers and associated SMS messages containing one-time passwords for some Okta customers. Okta leverages Twilio for one of the services it offers to customers that opt to use SMS as an authentication factor (see: Okta Customer Data Exposed via Phishing Attack on Twilio).
“They had an innovative approach on their attack with how they phished for not only the password, but also the onetime code and some less secure ways to authenticate into Okta like SMS tokens,” McKinnon told investors Wednesday. “It usually doesn’t work, but this was a novel approach, so it worked on a few customers.”
McKinnon says the problem was that some customers were using a less secure approach to protect highly sensitive resources which were probably better suited to cryptographic verification without any log-in page or password to ensure phishing can’t take place. McKinnon wants to see more customers adopt this unphishable configuration with no password or log-in page, especially for sensitive resources.
“Customers have been very confident in our ability to protect them and configure the product in a way that’s effective,” McKinnon says. “They know that all of their infrastructures are being attacked, and having partners [like Okta] that can help them ratchet up their defenses all the way towards this unphishable configuration is something they’re very comfortable with.”
Rising Sales, Improving Losses
| Okta | Quarter Ended July 31 2022 | Quarter Ended July 31 2021 | Change |
|---|---|---|---|
| Total Revenue | $451.8M | $315.5M | 43.2% |
| Subscription Revenue | $435.4M | $303.1M | 43.6% |
| Professional Services Revenue | $16.4M | $12.4M | 32.7% |
| Net Loss | $210.5M | $276.7M | 23.9% |
| Loss Per Share | $1.34 | $1.83 | 26.8% |
| Non-GAAP Net Loss | $16M | $16.3M | 2% |
| Non-GAAP Loss Per Share | $0.10 | $0.11 | 9.1% |
Okta’s revenue of $451.8 million in the quarter ended July 31 beat Seeking Alpha’s sales estimate of $430.7 million. And the company’s non-GAAP loss of $0.10 per share was better than Seeking Alpha’s non-GAAP loss estimate of $0.30 per share.
The company’s stock is down $11 – 12.04% – to $80.40 per share in after-hours trading Wednesday. That’s the lowest Okta’s stock has traded since June 16.
For the quarter ending July 31, Okta expects non-GAAP net loss of $0.24 to $0.25 per share on revenue of between $463 million and $465 million, representing a year-over-year growth rate of between 32% and 33%. Analysts had been expecting non-GAAP net loss of $0.28 per share on sales of $464.3 million.