The Product Person - Auth0: Product-led Authentication
IntroductionStumble across Eugenio Pace’s page on Amazon and you’d find a mildly successful author writing technical books such as “Moving Applications to the Cloud on the Microsoft Azure™ Platform”. Google the words “Eugenio Pace” and you find that he’s the CEO of Auth0, the identity-as-a-service startup that was acquired by Okta in February 2022 to the tune of $6.5 billion. That’s a lot of book sales. Auth0’s home page claims “basically, we make your login box awesome.” There is a substantial amount of complexity hiding behind that simple statement. A login box encompasses a whole multitude of authentication flows. Users can sign up, log in, or reset their passwords. Auth0’s customers cover a broad range of authentication preferences. One company might prefer the standard username-password, another might like Single Sign On (SSO, sign in with Google, Apple, or Facebook), yet some other might require Multi-Factor Authentication (MFA, login then confirm your identify). Not to mention - session management, rotating refresh tokens, bot detection, and access management. Auth0 simplifies all of this complexity - at a cost. Enterprise companies pay anywhere from hundreds per month to millions per year. FundingFounding StoryAuth0 starts with Eugenio Pace and Matias Woloski. Pace had spent 13 years at Microsoft as a program manager (essentially a product manager). While there, he would write a book with Woloski on authentication, “A Guide to Claims-Based Identity and Access Control”. But they felt there was more work to be done. Authentication was notorious for being poorly implemented. In February 2013, Pace teamed up with Woloski to start Auth0, identity management that “just works”. The first version of their product focused on a single pain point: single-sign-on (SSO). In an announcement blog post, Pace showcases the following graph: Auth0 was far from the only company working on SSO. Okta started in 2009 by selling to companies looking for best-of-breed workforce identity software instead of large ERP contracts from Microsoft, IBM, or Oracle. By 2013, Okta was the leader in the enterprise authentication space. Undaunted, Auth0 threw their hat into the ring, pursuing a developer-first approach. Woloski personally wrote comprehensive documentation that helped Auth0 stand out from other authentication solutions. He also recruited a founding team of engineers from Buenos Aires and started shipping. In their first year, the team built user management dashboards, a wealth of social and enterprise identity providers, and SDKs for major platforms (including Windows 8)! Despite that, Auth0 ended the year with only 1,700 subscribers, most of them on the free development tier. To change this, the pair brought in Jon Gelsey as CEO in January 2014. Like Pace, Gelsey had spent a long tenure at Microsoft and most recently had been the Director of Strategy and M&A. Pace stepped down from CEO to serve as VP of Customer Success. One of Gelsey’s first moves was to hire on a team of advisors including Guillermo Rauch (Creator of socket.io and CEO of Vercel) and Tim Bray (co-author of XML). These advisors added serious credibility to the Auth0 product. From there, Gelsey started raising Auth0’s seed round. In their meeting with VCs, they pitched themselves as “Twilio for identity.” It worked, attracting the attention of Bessemer Venture Partner, a venture capital fund with roughly $4B AUM. In an investment memo, the Bessemer team wrote:
And true to Auth0’s thesis, these exact developers were paying $10k per month. In September 2014, they announced their $2.4 million seed round, led by Bessemer. Product-Market FitAlong with the seed funding, Auth0 also got a rare chance to be featured in USA TODAY. The team capitalized on the opportunity, with claims such as “The company's promise is that it can help the Home Depots, JPMorgan Chases and Targets of the world avoid headline-grabbing, trust-threatening breaches.” These bold claims were part of a larger wave of Identity Access Management (IAM) changes. Starting with Okta, a host of vendors had been focused on pairing legacy identity systems like Microsoft Active Directory with best-of-breed cloud tools such as Salesforce and Slack. IT teams utilized these SSO vendors to ensure that employees could access all their cloud tools with a single pair of credentials. By the end of Auth0’s seed round, Okta had already reached around $30 million in ARR with a recent $75M Series E. To fight larger competitors, Auth0 took a slightly different tack to growth. Gelsey implemented a product-led growth (PLG) motion. In his words, “[PLG] done right is an inexpensive way to generate high-quality leads for the top of the sales funnel.” The first step was content marketing. Rather than just English content, Auth0 would create blog posts in Japanese and German to serve International audiences. To write the blog posts, Gelsey hired Martin Gontovnikas as a Developer Advocate and the 6th employee at Auth0. Over the coming months, Auth0’s content library would steadily move from product announcements to “How to Build Customer Trust in Your SaaS Through SOC 2”, “How to take your SaaS upmarket and grow your revenue by 20x”, and “How To Motivate Your Employees”. The general business content was part of Gelsey’s strategy of generating search engine traffic for Auth0. In his words:
The second step was minimizing the “time to WOW”. Gelsey wanted prospects to be impressed by the product as quickly as possible. Rather than wasting the goodwill generated by the content on sales meetings, Auth0 encouraged developers to implement an Auth0 login widget with a couple lines of code. This was made especially easy with the high-quality documentation that Woloski had so painstakingly perfected. The pricing model was also optimized to reduce friction. The Auth0 team had the philosophy of “we don’t make money until you make money”. As a result, developers could access all of Auth0’s features for free and pay once usage hit certain limits. One year after raising their seed round, their strategy had won the trust of customers like Schneider Electric, JetPrivilege, and Mindjet. In June 2015, Gelsey raised a $6.9 million Series A led once again by Bessemer and joined by K9 Ventures as well. GrowthShortly after Auth0’s series A, the company brought in another key executive. Gelsey’s PLG strategy only guaranteed “high-quality leads” for Auth0. He still needed someone to actually close Wilner was a veteran of Redfin and Hewlett Packard and joined Auth0 as their first CRO in November 2015. In the coming months, Wilner would close high-profile clients such as Dow Jones (US financial publishing firm), CenturyLink (US telecommunications company), and Telkomsel (Indonesian wireless network provider). Under Wilner, the sales motion at Auth0 started to diverge from industry norms. Customers that wanted bespoke features were startled to hear “yes” from Auth0’s salesforce. Instead of building a feature from scratch, Auth0’s customer success team used “Auth0 Rules” to customize the authentication transaction. This extensibility helped overcome much of the resistance that larger organizations had when switching to a new authentication provider. In the background, Auth0 was also reaching a new market. Rather than enterprise identity, developers were using Auth0’s social connections (Sign in with Google or Facebook) to build customer-facing user authentication. Before, user authentication for most companies meant building their own login systems (in industry lingo, they “rolled” their own auth). The growing trend of using third-party services like AWS and Stripe instead of buying server racks or building payment processors from scratch marked a shift for developers. Auth0 fit right in, it made sense to offload authentication to identity-as-a-service provider. Coinciding with Auth0’s shift towards customer authentication, was a year of constant data breaches. In a 2015 end-of-year blog post, Gontovnikas wrote that organizations from “Ashley Madison, TalkTalk, Slack, LastPass, and HipChat…have all seen their services compromised this year by unauthorized data breaches or attacks.” The post also highlighted the Starbucks hack where thieves had stolen user passwords and abused the lax security measures to siphon gift card funds. Auth0 had a solution for this: Multi-Factor Authentication (MFA) where users are required to access another linked account to authenticate. And, Auth0’s MFA product had just launched in August 2015. Security was a key part of Auth0’s story in 2015. The team shipped features such as Breached Password Detection, Anomaly Detection security, Multifactor Authentication, and Passwordless Authentication. In August 2016, Auth0 raised its $15 million Series B, led by Trinity Ventures. The headline quote from Jon Gelsey was:
ExpansionAuth0 had been an international company from day one. Most of their engineering team was based in Buenos Aires, where salaries were 10-20x lower than in the US. With an international team, Auth0 placed their sights on non-US customers. Rather than trying to overcome legacy systems, Gelsey focused on companies that hadn’t invested heavily in authentication yet. For the first few years, Auth0’s largest customer was Sancor Seguros (Argentina’s largest insurance company). With the new capital, Auth0 rapidly expanded their international presence. They established a London office to serve the EMEA region and localized their website to the Japanese market. Many of the new international hires went to sales and in the first half of 2017, Auth0 brought on:
The string of high-profile wins cumulated in a $30 million Series C in June 2017. The round was led by Meritech Capital Partners. Their international efforts also attracted funding from NTT DOCOMO Ventures (Japan’s largest mobile carrier) and Telstra Ventures (the venture capital arm of Australia’s largest mobile carrier). Auth0 experienced a sudden shift in leadership in 2017 as well. That December, Auth0 put out a press release that Eugenio Pace would replace Jon Gelsey as CEO. The verbiage, “effective immediately”, and the fact that Gelsey did not retain his board seat indicate the split was not amicable. Despite the shakeup, Auth0’s progress never slowed. They went on to raise:
The rush of capital was followed by an acquisition offer from Auth0 for $6.5 billion. The acquisition had been a long time in the making. Todd McKinnon, Okta’s CEO, had first emailed Eugenio Pace in July 2013, five months after Auth0 started. Over the years, McKinnon made multiple passes at Auth0, even after acquiring Stormpath, a close competitor of Auth0. Finally, with the pandemic doubling Okta’s market capitalization to a high of $45 billion, McKinnon could make the Auth0 team an offer which was impossible to turn down. The $6.5 billion purchase price was a 3.4x premium on Auth0’s Series F valuation. After a long negotiation period, Okta finally announced the acquisition in March 2021, and it was finalized in May 2021. ConclusionSince Okta’s acquisition of Auth0, the stock market have battered both companies. From its previous $45 billion market cap high, Okta currently trades at $12 billion today (February 2023). At acquisition, the synergies of the two companies were quite clear: Okta was number one in the B2E workforce identity market while Auth0 was the leader in the B2B and B2C authentication. Unfortunately, the cultures of the two distinct companies didn’t mix. Auth0’s bottoms-up developer-first approach contrasted heavily with Okta’s sales-led-growth motion. Okta saw heavy attrition in their sales force after the acquisition, including the departure of their CRO, Steve Rowland, and CMO, Kendall Collins. [0] In McKinnon’s words:
Despite all this, Okta’s core workforce identity and Auth0’s user authentication products are still leaders in their respective markets and McKinnon has become more upbeat on recent earnings calls. Today, dozens of startups are vying for a piece of the authentication market. While Auth0 and Okta’s products have led them to the top of the market, it’s unclear what the future holds for the now-combined companies. [0] Steve Rowland went over to Drata - which we profiled in another piece. Enjoyed this? Please share it with a friend or two. |
Older messages
VGS: Security and branding
Monday, May 1, 2023
The story behind VGS and how they built one of the strongest brands in the security space
Drata: Viral Audits
Monday, April 24, 2023
How Drata came to the forefront with changing software purchasing decisions
Wiz: Visible Vulnerabilities
Wednesday, April 19, 2023
Breaking down how Wiz went from COVID idea to $10 billion
Snyk: Shift left security
Wednesday, April 19, 2023
Catching the shift-left security wave and building a generational security platform
Nirav Tolia on Growing Nextdoor and the Path to Monetization
Wednesday, January 4, 2023
Inside are 5 actionable insights from former CEO and co-founder of Nextdoor, Nirav Toilia
You Might Also Like
Daily Coding Problem: Problem #1647 [Medium]
Tuesday, December 24, 2024
Daily Coding Problem Good morning! Here's your coding interview problem for today. This problem was asked by Square. In front of you is a row of N coins, with values v 1 , v 1 , ..., v n . You are
Sentiment Analysis, Topological Sort, Web Security, and More
Tuesday, December 24, 2024
Exploring Modern Sentiment Analysis Approaches in Python #661 – DECEMBER 24, 2024 VIEW IN BROWSER The PyCoder's Weekly Logo Exploring Modern Sentiment Analysis Approaches in Python What are the
🤫 Do Not Disturb Mode Is My Secret to Sanity — 8 Gadgets I Want To See Nintendo Make
Tuesday, December 24, 2024
Also: The Best Christmas Movies to Watch on Netflix, and More! How-To Geek Logo December 24, 2024 Did You Know Their association with the Christmas season might make you think poinsettias hail from a
😱 AzureEdge.net DNS Retiring Jan. 2025, 🚀 Microsoft Phi-4 AI Outperforms, 🔒 Microsoft Secure Future Initiative
Tuesday, December 24, 2024
Blog | Advertise | View Online Your trusted source for Cloud, AI and DevOps guidance with industry expert Chris Pietschmann! Phi-4: Microsoft's New Small Language Model Outperforms Giants in AI
Mapped | The Top Health Insurance Companies by State 🏥
Tuesday, December 24, 2024
In 13 US states, a single company dominates the health insurance market, holding at least half of the total market share. View Online | Subscribe | Download Our App Presented by: Global X ETFs Power
The Stanford Grad Who Forgot How To Think
Tuesday, December 24, 2024
Top Tech Content sent at Noon! Boost Your Article on HackerNoon for $159.99! Read this email in your browser How are you, @newsletterest1? 🪐 What's happening in tech today, December 24, 2024? The
The next big HDMI leap is coming
Tuesday, December 24, 2024
Sora side hustles; Casio's tiny watch comes to the US -- ZDNET ZDNET Tech Today - US December 24, 2024 Ecovacs Deebot T30S Combo robot vacuum and mop The next big HDMI leap is coming next month -
⚙️ Robo-suits
Tuesday, December 24, 2024
Plus: The data center energy surge
Apache Tomcat Vulnerability CVE-2024-56337 Exposes Servers to RCE Attacks
Tuesday, December 24, 2024
THN Daily Updates Newsletter cover The Data Science Handbook, 2nd Edition ($60.00 Value) FREE for a Limited Time Practical, accessible guide to becoming a data scientist, updated to include the latest
Edge 459: Quantization Plus Distillation
Tuesday, December 24, 2024
Some insights into quantized distillation ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏ ͏