Okta: Deep Dive Interview with Former Executive (Part 1)

Below is an edited transcript for an interview with a former executive at Okta. Key issues discussed in this interview include:

• The product-market-fit of Okta
• The speed of deployment of Okta for enterprise clients
• Head-to-head competition against Microsoft
• Potential players and competitors in the identity management space
• Industry headwinds and tailwinds

ARPU!: In your own words, how would you describe Okta's product?

Former Executive: Fundamentally, I think the easiest way to describe it is: as you're going to work every day and using more and more cloud applications, would you rather sign into each of those things with a different password that you forget most of the time, or have a solution that lets you authenticate once at the beginning of your day, and never have to worry about remembering different passwords and being insecure when you're accessing applications at work?

There is a flavor of way to say that to an IT person or security person, which is, "Hey, guys, it's more secure for your company if your users aren't writing down passwords." That's a simple way. There's obviously a lot more to it, right? Two-factor security and security mechanisms that look for fraud and tons of things like that, but at a very high level it's about security for the company and ease of use for the end employee.

To come up with an analogy, is it more like a digital credit card or is it more like Stripe for identity management?

Let me make sure I understand. When you say Stripe for identity management...

I meant it's more like the plumbing where the information flows, as opposed to being the product itself.

If you went back to the way I split my brain on that value prop, there is a value prop for the end user, for the employee of the company, because if they are not sold on it, if they are not believing this is good for them, it's really hard to succeed. And that value prop is more the digital credit card analogy. You tap it, and you're good to go.

On the other hand, the Stripe analogy is probably better suited for the IT guy at the company. I do a little consulting on the side nowadays. It's not uncommon for me to help a small business get up to speed in Okta. I have always impressed people, when I've shown them that, "Hey, you know what? You can do things like auto provisioning." A new employee shows up in your system, and then I can show you how to automatically get them provisioned in Okta and provisioned in other systems. Completely automated, right? And I've never been short of getting an amazement out of like, a novice IT guy. "Wow. I can do this?" Right? "For no extra cost?" It saves incredible amounts of time and effort. So the plumbing analogy really works for this aspect.

What is the key problem that the customers are paying Okta to solve?

The guy holding the cheque at pretty much every company is more worried about security when they start using Okta. That is first and foremost. They do think about the end user experience and all that. And sometimes they are influenced by it, and sometimes strongly influenced by it. But the triggering factor is almost like, "Oh god, I'm freaking out about security."

How does this issue of security usually arise? Is it more of a circumstantial problem that's specific to certain contexts? Or is it part of this natural growth trajectory?

When I think about all the Okta customers, or even the folks I consult with today, I would say the majority of them have experienced some form of a breach that is triggering this interest in the area

Who is the kind of person at enterprise to become aware of the problem? Sounds like someone from the IT department?

Usually it is. When the sales teams start going in and approaching companies, they will generally try to find the most influential person for the problem. They will be looking for somebody, probably in the upper influential ranks, that is kind of worried about the security aspect, and if not, worried about the workload of IT.

Understood.

Yeah, and I've heard Todd say this in some of his talks that, in the early days, one of the ways they would really get more customers is if somebody who was using Okta was the CIO or CSO, instead of the IT guy, and he or she moved to a new company. The conversation will be like, "Hey, you went over there, you're the new CSO right?” And that was actually a very successful way of getting through.

I've gone through some of the case studies, which mentioned that Okta was able to deploy for 300,000 employees of a Fortune 500 company within 36 hours at the height of the pandemic. Can you walk us through what enabled such rapid implementation from both structural and functional angles?

A lot of the complexity is really on how the company is set up, or the customer is set up in the first place. If you're a company that has tons of acquisitions, your first order of business and your first problem is to sort out the messiness. If you can get that to be relatively clean, and your users are mostly in one place, the act of getting Okta up and running is in fact quite easy. You can auto-import users, you can automatically send invites. So there's a lot of mechanisms built into the product that make getting the thing provisioned, getting it functional pretty easy.

One of the nice things about Okta, and I've heard this from customers that share this, is that the user experience for the IT guy is actually pretty nice. It's pretty easy conceptually, compared to some competing products that are just hard to comprehend. So Okta is actually quite easy to use, in terms of the people actually doing that legwork and making the budget decisions.

Now that 36-hour turnaround, I bet you there's some sauce in that number, to be honest with you, I bet you they are not counting the year of work ahead of time, where people have to clean up the local environment. As long as it's relatively clean and there's a single source of truth, the mechanics are not hard at all. 36 hours is quite reasonable.

There is one other aspect that is hard, which is user training and getting the users actually set up individually. You know, there was a medical company in Florida that I helped get up and running with Okta, and you know what, for the most part, most users knew exactly what to do. They got the invitation email and clicked on it. They set up their Okta account. And they set up their Okta app on their iPhone. But there was always these other employees — you know, there's a small group of employees who were not tech savvy. There was one lady that I spend a lot of time with. For whatever reason, she had some physical issue that made her finger not readable by the iPhone, for example. By default, Okta verification on a phone requires you to use either face ID or finger touch ID, and it just didn't work for her, at all. So there's always a long tail of users who take a little extra time to get up and running. And I mean, look, we all know there are some people in the world who are not tech savvy. They need a little more time and so there'll be this long tail of users that I don't think would complete in 36 hours.

That's kind of interesting, because I did not know that the biometric information was part of the multi-factor authentication. How does Okta handle the data?

So Okta is in the cloud. The way a lot of these current device-based biometrics work is it's local to the device. Effectively you're registering the Okta verify app on the phone. So in a way, it's a trust chain. The Okta verify app on the phone trusts the device to tell the app if the fingerprint is good. And then the Okta verify app gets to tell Okta, "Yeah, this person is good."

I see, the verification app is at the device level, not on the cloud.

Yeah. So like your face ID, even Windows Hello, actually, the actual biometric verification happens with the devices.

Moving on to understand the competitive landscape, who do you think is the primary competitor to Okta?

(...to be continued in Part 2 of the interview)