[HN Gopher] Okta to Acquire Auth0 for $6.5B
___________________________________________________________________
Okta to Acquire Auth0 for $6.5B
Author : lpage
Score : 123 points
Date : 2021-03-03 21:04 UTC (1 hours ago)
(HTM) web link (www.cnbc.com)
(TXT) w3m dump (www.cnbc.com)
| sytringy05 wrote:
| Wow, I wonder if this will create some space for a new
| competitor? I mean apart from these 2, who else are a serious
| option for rock solid SaaS IdP?
| marton78 wrote:
| ory.sh
| erulabs wrote:
| I recommend SuperTokens https://supertokens.io/
| daenney wrote:
| > All other providers require an OAuth implementation even if
| you do not need SSO because of the way they've architected
| their solution. With SuperTokens, we've decoupled the
| functionality for different use cases, making it possible to
| only worry about the features you need.
|
| Eh? You're either doing Oauth or you're not? What have they
| decoupled?
| SahAssar wrote:
| Not having any 2FA makes it a non-starter for a lot of
| people.
| grinich wrote:
| Come try WorkOS! http://workos.com/
| ignoramous wrote:
| > _...who else are a serious option for rock solid SaaS IdP?_
|
| Google Cloud (Firebase Auth), AWS (Cognito), and Azure (Active
| Directory) are as rock-solid as they come.
|
| FusionAuth.io, userbase.com, and clerk.dev come to mind as
| well.
| technics256 wrote:
| Anyone who's used cognito knows it's a joke compared to the
| others.
| irgeek wrote:
| Cognito is a joke. It's full of bugs, the hosted UI doesn't
| support half the features and -- based on the change velocity
| I've seen over the last three years --- it is desperately
| under-resourced by AWS. The new releases always seem to be
| small changes (like adding a new OAuth provider) but never
| fixes for the major bugs.
| tanseydavid wrote:
| Azure Active Directory leaves much to be desired.
|
| If it was not a MS product it would struggle to attract a
| market.
| pionar wrote:
| How so? I'd argue they're far ahead of the competition in
| features.
| motives wrote:
| AAD implements SAML, OIDC, LDAP, Kerberos, FIDO2 and more.
| Even if it was not a Microsoft product, it would have
| better non-proprietary interoperability than most other SSO
| platforms.
| giantandroids wrote:
| https://www.keycloak.org/
| marc__1 wrote:
| More information on the ppt
|
| Auth0
|
| 200M ARR
|
| 50% Growth
|
| 120%+ Net Retention Rate
|
| https://investor.okta.com/static-files/83f1811e-2f92-4c08-a1...
|
| What a great acquisition. Congrats to both teams!
| capableweb wrote:
| > What a great acquisition. Congrats to both teams!
|
| Great acquisition for those two, what about customers who
| always seem to lose when companies get acquired? The market now
| has less competition, people who were using Auth0 is eventually
| gonna have to modify their infrastructure because of this and
| things will become more unstable.
| marc__1 wrote:
| Bezos apparently said one that "Your margin is my
| opportunity".
|
| If this merger increases future profitability of new Okta,
| then you can argue there is a newer genuine market
| opportunity in authentication.
|
| The VC-backed industry is all about creating new
| opportunities (and by definition disrupting someone else's
| business), and recirculating investment money, improving our
| economy
| ramraj07 wrote:
| Honestly as auth0 users we were mulling moving over to okta
| anyway. Auth0s offering has always been slightly rough around
| the edges and we end up slightly suboptimal implementations
| because of that.
| scrollaway wrote:
| If that were the case, Okta would not have acquired Auth0.
| techrat wrote:
| Acquisitions don't happen exclusively because a company
| is buying out someone who is better than them.
|
| Sometimes they happen so a company can buy out someone so
| they won't have the chance to become better than them and
| a serious competitor.
| mschuster91 wrote:
| Taking over a competitor is always a good idea, simply to
| reduce the amount of players you compete with. This is
| why Facebook gobbled up Instagram and Whatsapp.
| mooreds wrote:
| Those are some killer numbers!
| dang wrote:
| We changed the URL from https://www.okta.com/press-room/press-
| releases/okta-signs-ag... to a third-party article. Usually
| though not always, corporate press releases are tepid devices
| whose purpose is as much _not_ to say things as to say them, or
| at least not say them outright. So generally we prefer the best
| third-party article on a topic.
|
| https://hn.algolia.com/?dateRange=all&page=0&prefix=true&sor...
|
| (Cases like this are an exception to the 'original source' rule
| in https://news.ycombinator.com/newsguidelines.html.)
| astuyvenberg wrote:
| Congrats to the Auth0 team! Their product solves a really tricky,
| undifferentiated problem that I'm glad I don't have to solve
| anymore.
| ericlewis wrote:
| I've used this a lot and it is stupidly expensive typically -
| hopefully this acquisition makes it more pervasive because they
| do a seriously great job at what they do!
| SavantIdiot wrote:
| stormpath > auth0 > okta > ??
|
| Wonder who buys them next. This will be the third time I've
| updated my deployments.
| toomuchtodo wrote:
| Salesforce?
| basch wrote:
| Would be a smart move for Adobe as well.
| bonsai80 wrote:
| Random safe bet seems to put to put Salesforce on the right
| right side of such a diagram, regardless of what the left side
| companies do. :)
| ar_lan wrote:
| I was wondering when this was going to happen.
| mooreds wrote:
| Really? I am in this space and didn't see this at all. Auth0
| (and other competitors) seemed to be growing quickly. I don't
| know why they wanted to sell; must be a really good offer +
| some synergies.
| chromatin wrote:
| Hm, I now cannot find the other thread which had 40 some comments
| (but also linked to the corporate press release).
| dang wrote:
| Merge in progress. Please stand by!
|
| Edit: Merge completed. Please resume reading!
| dec0dedab0de wrote:
| Does anyone else think its a horrible idea to outsource your
| companies authentication?
|
| Where I work we are migrating to Okta, and it blows my mind that
| anyone thinks it is a good idea.
| coderintherye wrote:
| Im sure you could find people that think it is a bad idea, but
| most people including myself find it to be a good idea.
|
| What do you see to be horrible about it exactly?
| lpage wrote:
| Full details are in the investor release [1]
|
| [1] https://investor.okta.com/static-
| files/83f1811e-2f92-4c08-a1...
| fumar wrote:
| Okta stock dropped 12% in after hours. I see the acquisition as a
| positive business decision.
| missedthecue wrote:
| Dropped because OKTA will issue an additional 21% of their
| outstanding stock to make the purchase, diluting existing
| shareholders
| basch wrote:
| But shareholders own an entire nother company now.
| djrogers wrote:
| The stock dropping only 12% after a 21% dilution reflects that
| 'the street' sees this as a net positive as well.
| packetlost wrote:
| Oh no
| grinich wrote:
| If anyone's looking for an Auth0 alternative, come check out
| WorkOS!
|
| It's like Stripe for enterprise features, including SSO/SAML,
| Directory/SCIM, and more.
|
| https://workos.com/docs
|
| (I'm the founder.)
|
| Edit: Here's our launch last year:
| https://news.ycombinator.com/item?id=22607402
| cellar_door wrote:
| Stock is getting hammered in after hours on top of -6.89% today
| macintux wrote:
| Effectively a dup: https://news.ycombinator.com/item?id=26334659
| dang wrote:
| That one was posted later, so I think it will be fairest to
| merge hither.
|
| (Item IDs are the definitive way to check that btw.)
| didip wrote:
| How do both of them make money?
| andrew_ wrote:
| I hope this gives rise to another, smaller viable party outside
| of Amazon, Google, and Microsoft. Perhaps I'm jaded, perhaps
| hopelessly biased - but I can only see this as a net negative.
|
| Okta's open source packages receive a pitiful amount of attention
| (for example: https://github.com/okta/okta-oidc-
| js/issues?q=is%3Aissue+is%...) with forks almost becoming a
| requirement. Auth0 by contrast has been "on the ball" for a long
| time with their offerings. Okta's interfaces have been disjointed
| and inconsistent, confusing to users on a scale only surpassed by
| Jira, while Auth0's have always been pleasant to use from a user
| and developer perspective.
|
| From a personnel perspective, the two companies couldn't be more
| different, with Auth0 embracing a remote-first-class culture with
| creative interview processes, and Okta (pre-covid) being very
| much the opposite. I interviewed with both, and the process at
| Auth0 had me walk away with respect, while contrasted with Okta
| that left me reminded that tech hiring is broken.
|
| I'll hold my breath for a short time that Auth0 is allowed to
| operate independently. Sadly I feel it'll be inevitable that
| they're eventually swallowed up by the mothership.
| aussieguy1234 wrote:
| I did an integration with AWS Cognitio. It can only act as an
| oauth client, not a server.
|
| So it can only let people log in with Google etc, not log in
| with <your app> on other apps
| vwpolo3 wrote:
| There are already true open source alternatives on the horizon
| such as https://github.com/ory
|
| It is about time for a new generation of identity systems in my
| opinion. This acquisition shows the risk of centralized, vendor
| locked-in services.
| kenm47 wrote:
| Have you heard of https://fusionauth.io/ ? I'm not a user of
| the product, but I know some of the folks behind it. Might be
| time for them to shine here.
| robotdan wrote:
| Thanks for the mention. We already do see quite a few Auth0
| converts. I expect to gain a lot of new customers as a result
| of this merger in the coming months. No complaints here.
| sixhobbits wrote:
| +1 - I set up a FusionAuth instance to do a tutorial for them
| and it was a great experience.
| adamcstephens wrote:
| Regulators should block this merger. Consolation is strangling
| capitalism in this country.
| bogomipz wrote:
| >"I interviewed with both, and the process at Auth0 had me walk
| away with respect, while contrasted with Okta that left me
| reminded that tech hiring is broken."
|
| While I haven't interviewed with Auth0 it sounds like we both
| had the same experience and impression regarding Okta. You know
| something is off when your interview loop for an engineering
| role involves the President of Technology doing coding
| interviews and all your interviewers warn you about you about
| your upcoming interview with him. I thought it said a lot about
| the culture there.
| watertom wrote:
| How will market consolidation lead to a smaller viable
| alternative?
| edoceo wrote:
| Nature abhors a vacuum
| grinich wrote:
| We are doing this at WorkOS. :)
|
| https://workos.com/docs
| turtlebits wrote:
| Agreed, I found it hard to write integrations with Okta and
| ended up using Keycloak and integrating it as an OIDC client.
|
| I found Keycloak extremely easy to setup and work with.
| Spooky23 wrote:
| Okta is one of the more disappointing companies for me.
|
| In the enterprise space, imo Microsoft is going to eat
| everyone's lunch. Azure AD is pretty transformative, and their
| public facing stuff isn't that far apart from what Okta does.
| bootyfarm wrote:
| RIP Stormpath RIP Auth0
| tootie wrote:
| Wow. These guys were basically 1 and 2 when it comes to
| enterprise auth/CIAM. It's great news for the businesses, but
| will likely only decrease competition in the marketplace. There's
| a ton of second tier competitors out there with plausible
| offerings who are probably going to start consolidating to stay
| alive.
| namdnay wrote:
| Wouldn't 1 be Microsoft?
| tootie wrote:
| They're not really doing the same thing but you're probably
| correct that most customers are just relying on AD. I can
| easily imagine MS beefing up their identity offering to be
| more on par with Okta.
| trevorishere wrote:
| We replaced Okta with Azure AD. AAD had better OIDC and
| SCIM support along with being _significantly_ less
| expensive -- plus we had to use it anyways due to
| M365/Azure, so Okta offered no value.
| femto113 wrote:
| Amazon/AWS and Google are big in the identity space too, so I
| think it makes sense that there's only room one real "third
| party" option.
| tootie wrote:
| Cognito and Firebase are bush league by comparison. They
| can do the basics well enough if you have the right
| integration engineers. Okta and Auth0 are light years
| ahead.
| femto113 wrote:
| The difference is that Okta/Auth0 is never going to be
| the only piece of a solution. With AWS it's more than
| just Cognito, you have to consider IAM and SSO as part of
| the equation as well. And if you're a pure AWS shop the
| AWSness of Cognito (or its direct support in API Gateway,
| etc.) might make you prefer it to Okta or Auth0
| regardless of feature parity. For Google the key asset is
| really Gmail/GSuite/Workspace, which is the primary
| identity provider for many, many organizations (and the
| sole identity provider for most of those). However kludgy
| Google's built in SAML stuff is there is a huge value in
| only needing to deal with one entity.
| jessaustin wrote:
| It might be better for these two to merge than for either
| (or both!) to be subsumed into those much larger firms.
| This is why FTC allowed Sirius and XM to merge: to keep
| them both out of the clutches of larger firms who would
| have seriously considered killing satellite radio
| altogether.
|
| [EDIT:] Of course, this merger may just be a ploy to drive
| up the price of a future merger with one of the larger
| firms...
| andrewstuart2 wrote:
| I know it doesn't cover everything Auth0 and Okta presumably
| provide, but Keycloak is OSS and has RedHat support, and is
| honestly one of the best IDPs I've ever used in terms of
| capabilities and friendliness. I know there's also the ory
| suite in the more cloud-native/recent space, though I can't
| personally speak to its maturity.
|
| Maybe I'm biased by the large bank I currently work at, but in
| general, it seems like IAM is the last thing we really want
| outsourced/closed source and monocultured. If they lose the
| motivation to stay ahead of the competition, and stop
| responding to vulnerabilities as quickly as they ought to, it's
| not just their company that loses.
| octopoc wrote:
| I've started using KeyCloak by default for my personal
| projects. Once you know how to integrate it and configure it,
| you never have to worry about users or roles again. I haven't
| used the groups feature yet but I'm optimistic considering
| how easy Keycloak is to configure. Overall it's a great tool
| to have in your tool belt.
| andrewstuart2 wrote:
| There's just so much value in the fact that I can run it
| locally, deploy it wherever, play with it and learn it for
| free and even feel safe enough to expose it publicly due to
| its maturity and backing. As long as I stick with the
| standards (remind yourself and your users "you build OpenID
| Connect clients, not 'keycloak' clients," I can even
| (easily) move somewhere else if I want, and now I
| understand Oauth2/OIDC better and probably have a much more
| scalable authn/z system in place thanks to the way
| federated authn asks you to design your (fine-grained)
| authz.
| mooreds wrote:
| > It's great news for the businesses,
|
| I assume you mean they'll be able to get monopolistic rents
| now?
|
| The other alternative is that Auth0 customers will be forced
| into Okta plans and migrate to other platforms. It's happened
| before with other mergers.
|
| Disclosure: I work for a competitor.
| politelemon wrote:
| > and integrated over time
|
| I'm reading too much into this sentence fragment and it fills me
| with fear.
|
| I smell breaking domain changes in the future. They can't allow
| the .auth0.com tenants to operate as-is forever, which means
| existing tenants will get grandfathered in and eventually forced
| off the .auth0.com domain onto okta's domains.
|
| I smell messy login sites in the future. I like Auth0's
| implementation of their Universal Login page, which didn't
| require JavaScript. In the quest for 'one single brand identity'
| someone will force a migration to Okta's login implementation
| instead.
|
| That will come with changing client IDs, client secrets, M2Ms and
| everything else needed in their setup.
|
| I might as well create a Jira ticket for this now.
| bena wrote:
| So you're not fond of them?
|
| I have limited exposure. We use them at my place of work for
| 2fa for our VPN. And an organization we work with uses it for
| authentication.
|
| But I haven't had to use them in anything I've developed.
| DaiPlusPlus wrote:
| The idea of _outsourced identity_ is just so contradictory it
| makes my blood pressure shoot up when people sincerely
| suggest it.
|
| I'll make an exception for Office 365 / AAD when an
| organization has already got their userbase added, but after
| that I'd wager if an org is big enough to need their own
| federated authX, then they're big enough to deploy
| IdentityServer and be done with it.
| robotdan wrote:
| >> and integrated over time > I'm reading too much into this
| sentence fragment and it fills me with fear.
|
| Lol!
| tomashertus wrote:
| Congratulations to the entire Auth0 team. I admire their strategy
| on selling comprehensive auth/CIAM solution to the developer
| teams from all around the world!
| dyeje wrote:
| Does this rise to the level of antitrust scrutiny? Aren't these
| like the two biggest SSO providers?
| ROARosen wrote:
| In a way I think this is good for consumers as it positions
| them better to counterbalance Microsoft, the big bear in the
| field.
| ahallock wrote:
| A little, but I don't even think they're the biggest.
| bdcravens wrote:
| Except that AWS and Google have their own offerings (and the I
| think these aren't SSO companies as much as Auth as a Service
| providers)
| motives wrote:
| Azure AD is the biggest in the game by far in terms of SSO,
| stretching every vertical from education to investment
| banking.
| DaiPlusPlus wrote:
| ...only because of Office 365 though.
| staysaasy wrote:
| Had exactly the same thought - this seems like it's begging for
| the antitrust hammer.
| [deleted]
| RazorX wrote:
| Oof, I really like Auth0 and was thinking of adopting them soon.
| Now it just seems like a huge risk. Why would I willfully walk
| into what will obviously be a migration nightmare and unknown
| pricing change for one of the central and critical pieces of my
| application (which should be boring to maintain)?
|
| Best to Auth0! I really hope you can maintain your company
| culture and excellence, but I can't risk my business on that now.
| Black101 wrote:
| another crazy valuation
| no-dr-onboard wrote:
| One auth to rule them all.
| nickysielicki wrote:
| $6,500,000,000.00 for a company providing authentication APIs?
|
| Am I the only person left on earth that hasn't lost his mind?
| omni wrote:
| Check out Auth0's pricing page and it might start to make sense
| to you, they're outrageously expensive
| anderspitman wrote:
| Centralized services gonna centralize.
|
| Something I've been thinking about recently is that a full web
| browser is a hard dependency of OAuth2-based systems. That's
| 20-30 million lines of code even for the simplest systems, even
| though you're basically just using the browser as a form renderer
| and a central space to store tokens.
|
| I feel like there's room for a simpler protocol designed to
| operate on HTTP plus a minimal UI language (maybe JSON-based)
| used to describe forms for granting access. This would make it
| much easier to develop for devices that don't have browsers. You
| could even make CLI interfaces for authorization flows.
| mooreds wrote:
| You might want to check out GNAP. I did an overview of it here:
| https://fusionauth.io/blog/2021/01/07/gnap-next-gen-oauth/ but
| you can also check out the spec here:
| https://datatracker.ietf.org/doc/draft-ietf-gnap-core-protoc...
|
| They are aware of the issues of the browser centricity of
| OAuth.
|
| It's definitely not the simpler protocol you describe, but it's
| one way to look at the future.
| BerislavLopac wrote:
| At one startup I had to switch from Stormpath to Auth0 because
| the former was acquired by Okta...
| mooreds wrote:
| If anyone's looking for an Auth0 alternative, come check out
| FusionAuth!
|
| It's been built from the ground up for developer experience with
| a distinct lack of jargon, amazing customizability, an API first
| approach and great docs. Plus, enterprise features too, including
| SSO/SAML, OIDC, and more.
|
| https://fusionauth.io/docs/
|
| (I work at FusionAuth.)
| grinich wrote:
| lol did you copy my comment? :P
| https://news.ycombinator.com/item?id=26335608
| agentdrtran wrote:
| Unfortunate. Okta is working on their monopoly.
| switch007 wrote:
| How does one migrate your users away from Auth0 seamlessly as
| possible (when you're using their Database connection)?
|
| I seem to recall something about raising a ticket for an export
| including the hashes?
| invokestatic wrote:
| There's something about Okta that just scares me. If Okta is ever
| compromised, so are the thousands of companies that rely on it
| for IdP. How do companies mitigate this risk? Or do they?
| temuze wrote:
| That's the same fear some people have about password
| managers...
|
| IMO, the answer is simple: I would rather security be done by a
| company where security is THE feature. In other words, I trust
| 1Password's security team over, say, Hulu's or something.
| rurp wrote:
| Sure, but it's not a 1-1 comparison. If Hulu gets compromised
| you only lose your (hopefully unique) Hulu credentials. If
| your password manager gets compromised a single attacker gets
| access to _all_ of your accounts. The security standard for a
| password manager is much, much higher than pretty much any
| other service.
|
| Password managers are still the best option for most cases,
| but having to put such an incredible amount of trust in a
| single company certainly makes me nervous.
| JMTQp8lwXL wrote:
| The problem is a password manager becomes such a valuable
| target. Sure, they have more security resources given the
| nature of their business, but it's that password management
| company's security staff versus a world's-sized quantity of
| potential bad actors, and one of those two groups has more
| resources than the other.
| bonestamp2 wrote:
| I have okta accounts with a few companies and they all require
| 2FA. I hope Okta is configured so that if Okta itself were
| compromised, the 2FA would still be required to leverage the
| authentication vectors in okta.
| jfengel wrote:
| If Okta is ever compromised, they have a team of people working
| 24 hours a day to deal with it as quickly as possible. And, of
| course, to prevent it from happening.
|
| When it comes to security, it's often a pretty good idea to put
| all of your eggs in one basket, and then make sure it's a
| really, really good basket. Unless you're certain you can make
| a better basket yourself -- and when it comes to auth, there
| are a lot of ways to make bad baskets -- it's better to use
| somebody else's basket.
|
| It's not perfect, but I know I'm not an expert in auth. I use
| Auth0 and then get on with the rest of my work.
| the_duke wrote:
| You are arguing from the perspective of a single company,
| while the parent is arguing from an ecosystem perspective.
|
| Sure, for a single customer it's good to have a widely used
| product with a big ops and security response team.
|
| But if so many companies use a single provider, the fallout
| of a compromise also becomes much larger. This makes
| attacking the system more appealing and attracts more
| sophisticated adversaries, including state actors.
|
| Also, size doesn't necessarily lead to a better, more secure
| product. It often does for well-run, modern IT companies.
|
| But any familiarity with the enterprise software space is
| quite sobering in this regard.
| mooreds wrote:
| Monocultures are more efficient, until they aren't.
| invokestatic wrote:
| I've heard the exact opposite for security: defense-in-depth.
| For example, IdP with Okta and 2FA with Duo. This seems much
| better to me.
| JMTQp8lwXL wrote:
| What if AWS was compromised and every DynamoDB instance was
| accessible?
| invokestatic wrote:
| I think the difference is that the scope of DynamoDB is
| limited. A breach in authentication could result in the
| complete compromise of a company.
| sebmellen wrote:
| But use of S3, for example, is not limited much at all. It
| is very dominant.
| londons_explore wrote:
| I suspect that a breach of most companies AWS accounts
| would lead to a complete breach of that company.
|
| Somewhere in the mountains of data stored in an AWS account
| and all it's associated EC2 instances and backups on S3
| will be credentials or information to thoroughly breach all
| other systems.
| codingslave wrote:
| You literally just made this up based on nothing
| tekno45 wrote:
| Someone is able to bypass very strict security and even if I
| went with a different or self hosted solution, if I was the
| target i would be got.
| ablekh wrote:
| Good for Okta and, potentially, for Auth0. But, most likely, not
| so good for current Auth0 users and future IdM users. I believe
| that decreased competition due to industry consolidation is not a
| good thing. I would rather see Auth0 choosing the IPO (or direct
| listing) route for an "exit" ...
___________________________________________________________________
(page generated 2021-03-03 23:00 UTC)