Okta is one of the cybersecurity companies who has been making the biggest moves in 2021. This article was prompted by their Q2 earnings release on September 1st, 2021; however, it's also an interesting time to go beyond the quarterly results and take a deeper look at Okta as a business.
The earnings discussion was more impactful than usual. It was the first time (and perhaps only time) Okta has disclosed detailed revenue and metrics about Auth0 since the acquisition closed on May 3rd. The company's executives also went deep into their integration strategy for Auth0, customer segmentation, customer identity, and entry into the Identity Governance and Privileged Access Management markets.
This is a longer article as it's my first time covering Okta on this site. It's an exciting time for Okta and Auth0. There has been a lot going on with the companies, and their financial results speak for themselves. The journey is still early, though, and the companies face many obstacles on their path towards winning the identity and access management market.
Revenue, Growth, and Metrics
Before we get into Okta's longer term strategic outlook, let's take a quick look at revenue, growth, and relevant long-term financial metrics. First, a few comments about the general state of the company's financials.
Okta has a fairly significant amount of long-term debt, currently $1.96 billion. The company has $2.47 billion in short-term assets (mostly cash). The company is also experiencing an abnormally high amount of stock sales by company executives and insiders. The combination of high debt, high operating losses, and stock divestitures from company insiders concerns some investors and analysts — invariably impacting Okta's stock price.
Strategically, the important part is this: Okta is one of the best and most reliable public SaaS companies out there. Losses and debt are characteristic of a growing company still in its early stages. It's not surprising for executives to sell stock for liquidity, especially because some have been with the company since it was founded over 11 years ago. Barring a mega-transaction on the scale of Salesforce buying Slack, Okta isn't going anywhere.
The Q2 2021 earnings results are impressive. Revenue growth for the quarter was 57%, a staggeringly high number for a company of this size and scale. Net Revenue Retention (NRR) was nearly as impressive: 124% for Okta, and 127% for Auth0 during the previous 12-month period. Net Revenue Retention (NRR) measures how well companies retain (and grow) customers. A rate of 100% or greater is considered good for a company with both SMB and enterprise customers.
For the full fiscal year, Okta is forecasting 50% (yes, 50%!) revenue growth year over year. Not surprisingly, they're paying for this growth with high operating losses:
Given our strong Q2 results, we are raising our revenue outlook for the full year. For the full-year fiscal '22, we now expect total revenue of $1.243 billion to $1.250 billion, representing growth of 49% to 50% year over year. We also now expect non-GAAP operating loss of $119 million to $114 million and non-GAAP net loss per share of $0.77 to $0.74, assuming average weighted shares outstanding of approximately 147 million.
50% year over year revenue growth is impressive for any company, and especially for a company the size of Okta. However, they're going to have to keep growing at close to this pace to overcome their operating losses and repay substantial debt over time.
One final (and anecdotal) aside, more about goodwill and intangibles than financials: Okta was recently named a leader in the Identity as a Service market by Forrester. This is only significant because of Okta's complete dominance of this analyst ranking year after year. They own this market, and they essentially have no close competitors. As early investor Ben Horowitz says, "They have become the Cloud Identity company."
Okta and Auth0's Customer Segments
Unpacking the magic behind both Okta and Auth0's growth starts with understanding the companies' customer bases.
On the earnings call, Okta CEO Todd McKinnon gave a detailed overview of customer segments for both businesses and broke down the additional customers Okta gained by acquiring Auth0. This information trickled out slowly during the call, ending with a fairly clear picture of customer numbers.
The story starts at the top with enterprise accounts and contracts:
Our total base of customers now stands at over 13,000. Okta stand-alone added 750 customers, which is a record for any quarter. Also included in the base is the addition of 1,650 Auth0 customers, net of common customers. Our total base of $100,000-plus average contract value customers, or ACV, now stands at over 2,600.
Next, the story continues to self-service subscriptions and free accounts:
Auth0 has an incredible base of over 13,000 paying self-service subscriptions. What's more, there are currently over 40,000 active free subscriptions being utilized by developers on the Auth0 platform.
Finally, the punch line about why Auth0's self-service and free accounts matter:
I think that at a high level, when you think about the customer mix and the contribution, I'll just call out that they're the same in a lot of ways, but they're different in a pretty significant way, which is they have this groundswell of free developer accounts and they have the -- Auth0 has this group of self-service, basically, essentially month-to-month credit card customers, which is revenue, but it's also, more importantly, it's a potential upsell avenue. So they have -- Auth0 business gets a lot of momentum from developers trying the product, using it maybe in a hobby, side project and then bring it to work and they start with a project at work where it's a month-to-month credit card. And then all of a sudden, a few quarters later, it's used in a real customer-facing initiative or an internal system that's really important. And then all of a sudden, it's upgraded to a material year-long contract.
This is an especially interesting explanation because it captures Auth0's business model in a nutshell. Essentially, Auth0's customer base looks like this:
Importantly for Okta in the acquisition, Okta and Auth0 only had 300 common B2B and enterprise customers at the top of the pyramid. The bottom two layers (and their potential conversion to larger accounts) was basically untouched.
Another incredible detail about Okta's user numbers: they don't have that many customers, relatively speaking. Last week, Jason Lemkin of SaaStr shared some interesting data about customers, Annual Recurring Revenue (ARR), and Annual Contract Value (ACV) for public SaaS companies:
Average public SaaS company has 33,000 customers
— Jason ✨BeKind✨ Lemkin ⚫️ (@jasonlk) September 7, 2021
Average public mid-market SaaS company has 12,000 customers
And this is at $440,000,000 in ARR
That's really not that many customers. So much more to close.
Such big TAMs. pic.twitter.com/eTRkH5bI6W
Okta wasn't listed, so it's informative to compare the numbers discussed in their Q2 earnings call with the data from SaaStr. At a forecasted revenue of $1.25 billion this year, Okta is roughly the size of HubSpot in terms of revenue. However, HubSpot has 114,000 customers generating its $1+ billion in revenue. As a result, ACV is relatively low at $9,649 per customer.
Okta didn't provide a specific ACV; however, they did mention over 2,600 customers paying more than $100,000 pear year. This implies a much higher ACV for Okta, and also the key to their continued growth: adding new $100k/year annual customers and growing revenue from existing customers over the $100k mark.
The Race to Win Customer Identity
The mission set forth by Okta in previous quarters (and reiterated on this call) is clear: win the Customer Identity (CIAM) market.
Aside from eliminating a strong competitor, acquiring Auth0 was about Customer Identity. Todd McKinnon said it himself on the call: "A real core of this [Auth0 acquisition] is owning the CIAM market."
McKinnon outlined the breakdown of revenue coming from Customer Identity (CIAM) and Workforce (employees, contractors, and other third parties within a company):
CIAM now represents over one-third of total ACV and grew at 54%. Within this, Okta stand-alone CIAM ACV grew 49%, and Auth0's ACV grew 63%. Workforce ACV now represents just under two-thirds of total ACV and grew 37%.
These are interesting breakdowns. Okta is fairly balanced between workforce and customer identity segments. Both are growing quickly, but 49% growth for Okta's CIAM business is large. More importantly, Auth0 is going to end up being a great acquisition if it continues growing CIAM ACV anywhere close to a 63% rate.
McKinnon had an interesting insight about the CIAM market:
So the way it breaks down is that this $30 billion TAM is really a couple of separate TAMs. There's a very -- like very customized or developer-focused, fine-grain control, control every pixel, every bit and byte. That's the market that Auth0 is very well suited to go after.
Then there's the more tightly integrated to -- you might have a company that's doing customer identity, but it's maybe more B2B...It's less development and code per se, and it's more policy and they want a low-code environment, that's where the Okta CIAM platform really excels.
Looking at the CIAM market in two separate segments helps explain how both Okta and Auth0 can continue to function and grow as standalone products while they integrate operations and technology.
Finally, McKinnon mentioned a state many people in the industry aren't aware of. Okta has the largest CIAM revenue of any company in the industry:
We talked about 30 -- about 33% of our ACV, roughly about $1 billion of ACV, it's $330 million roughly. And that's the biggest CIAM vendor by far. It's not even close if you look at the other competitors. It's hard to tease apart some of the platform guys, but the point competitors is not even close.
By comparison, the total annual recurring revenue for Ping Identity and ForgeRock are $279.6 million and $155 million, respectively. Revenue for both companies includes a mix of workforce and customer identity. Okta's CIAM revenue alone is at least $50m larger than its close competitors. Okta is leading the CIAM market, but the competition in this emerging market is far from over.
Entering the Identity Governance and Privileged Access Management Markets
As discussed in previous quarters, Okta is entering both the Identity Governance (IGA) and Privileged Access Management (PAM) markets. I'm revisiting the topic here as it's the first time I've covered Okta on this site.
Okta entering the Identity Governance (IGA) and Privileged Access Management (PAM) markets is a big deal. These markets are traditionally owned by two of Okta's contemporary peers — IGA by SailPoint, and PAM by CyberArk. Along with Ping Identity, these identity-focused companies essentially grew up together and IPO'ed at roughly similar times.
Okta has competed with Ping Identity in the Access Management market since the beginning. Announcing a move into the adjacent IGA and PAM markets is a signal that Okta isn't going to be content with its original place in the Identity and Access Management market — it wants the whole thing.
Okta's COO, Frederic Kerrest, had an interesting take on entering the PAM and IGA markets:
It's not as though we're sitting in an ivory tower coming up with great ideas, although we do, do that from time to time. But this is actually one where the customers have been saying for some time, "Hey, will you give me a modern PAM solution? Will you give me a modern IGA solution? I want something new. I don't want to buy it from the legacy vendors of yesteryear." And I think that's a great opportunity for us. So a lot of pipeline already built up.
This anecdote summarizes the opportunity and the perspective of many Okta customers well: Okta is the modern identity platform, and customers want it to be a full platform they can use for everything related to identity and access control.
The real proof is in the results, though. Building IGA and PAM solutions from the ground up isn't a trivial undertaking, especially with formidable competitors like SailPoint and CyberArk. It also doesn't mean customers will abandon their previous investments in IGA and PAM and move to Okta right away. Okta isn't going to instantly steal these markets — entering them is a long term play.
Integrating the Companies Going Forward
As expected, a fair amount of time on the earnings call was spent discussing the integration of Okta and Auth0 going forward. Most of the discussion was focused on operational and financial integration. Technical integration was lightly covered and leaves a lot of open questions for me.
First, a brief step back to comment on Okta's acquisition strategy. The acquisition happened before I started writing, so I wanted to address it. Okta's decision to acquire Auth0 essentially came down to this: Auth0 was Okta's most legitimate long-term competitor. The best strategic move for Okta was to eliminate Auth0 before the company grew to a point where it was a strong competitor or became too expensive to acquire. $6.5 billion is a steep price at a high multiple, but that's a small price to pay for long term ownership of a large market.
Todd McKinnon made a few comments about the market on the earnings call:
So there's the qualitative, there's the quantitative in terms of the strategic priority of the combined entity...And the first thing is we only have 300 overlapping customers...if it was just about like two competitors going after the same small pie, you would have had a way more overlap in terms of customers or at least the competitive pipeline, and we haven't seen that materialize.
This statement is accurate right now, but I don't expect it would have remained true going forward. Okta and Auth0 didn't compete much historically because Auth0 is a much smaller company, and cloud identity is still a growing market. Fast-forward 5 or 10 years, and these companies would have been fierce competitors in a mature market if an acquisition wouldn't have happened.
Yes, there are many other reasons and benefits for acquiring Auth0: respected leaders, innovative technology, minimal customer overlap, and so on. Okta leadership waxed poetic about Auth0 throughout the entire call, and for good reason — Auth0's numbers are excellent. You won't hear either company's leaders talking about eliminating a competitor, even though doing so was likely the primary driver.
Operationally, the open question was how Okta would choose to operate Auth0. Would they integrate the company and its platform into Okta, or operate it as a standalone company? The answer is clear — they're going to integrate:
On the financial question, first and foremost, we're really excited about Auth0, obviously, as you can tell by our commentary today. But I think maybe the fundamental point is really around how we're going to run them. If we were running them as a separate entity, which as you've heard today, we're running as a product unit, things are becoming integrated from a G&A perspective, from a sales perspective, but if say, and let's pretend that wasn't happening, we would run it just like we ran Okta back then, where we balanced growth and profitability. And you've seen that in the results for years.
But since we are bringing everything together, having a product unit, having sales being pulled together, and then G&A being pulled together, now there won't be a relevant compare, but if there was that situation, it would be run just like we did, run ourselves back three, four, five years ago, where we focused on growing the business while also doing -- while also expanding margins over time.
Essentially, the Okta leadership team already knows how to grow and operate a cloud identity company. They could just use the same playbook with Auth0 and do it all over again, but that's not the strategy here. They believe an integrated company and technology platform is more valuable than running the companies separately.
Financially, the impact of integrating Okta and Auth0 was both obvious and acute — they're spending a lot of money running both companies. As summarized by Okta's interim CFO on the call:
Total operating expenses grew 76%. The growth in expenses is primarily attributable to Auth0. With the addition of over 900 Auth0 employees, total headcount now stands at over 4,100 employees. Opex was lower than expected primarily because we are operating more effectively together with Auth0 than previously expected.
This type of increase in operating expenses is eye-opening; however, it makes sense in the case of Okta and Auth0. Their goal as a combined company is going to be cutting operating expenses and operating more efficiently at scale.
They wasted no time starting down that path. The most explicit operational integration announced was the combination of Okta and Auth0's sales organizations:
We've made the decision to accelerate the timeline for integrating the sales organizations under Susan St. Ledger's leadership to the beginning of the new fiscal year in February. This move will allow the unified sales team to sell both platforms and benefits customers by providing more options to meet their unique use cases.
This move isn't surprising whatsoever, especially after seeing the data and discussion about Auth0's success with bottom-up customer acquisition. The exact number of sales employees at Auth0 wasn't mentioned, but I doubt they had many people given the bottom-up growth model and relatively small number of enterprise accounts.
I expect it's going to be confusing for Okta's unified sales team to help customers sort out which platform to use. Okta and Auth0 both have their individual strengths and differences, but a lot of features are similar. They're similar enough that it would even be challenging for a technical person to explain and rationalize the differences (myself included). It's even harder for a sales person.
Todd McKinnon made a telling comment on this topic during the call, mentioning "...we want to keep flexibility on how we package and sell and position the products." His comment was in the context of assigning revenue; however, it easily could be representative of the inevitable challenges that are likely to come from the early stages of integration. Expect confusion in messaging and deal structuring until Okta rationalizes its approach for the stand-alone Okta platform and Auth0.
McKinnon later commented more specifically on the overall integration efforts:
It's also very important as we keep executing through the rest of this year that we get the integration going. We mentioned the sales integration, getting that synergy going, and making sure we take this from initial success, keep the momentum going to this long-term future, where we are really this one-stop-shop for all these identity choices and compelling leader in the market for customers.
This integration is still in the early stages, as you'd expect only months after close. There's still a long way to go.
Technically, there is another significant challenge at hand — rationalizing and integrating the company's technology platforms. Again, it's very early. From Todd McKinnon:
What I saw this past week was the first mockups and the first concepts of what deep integrated products could look like in the future, it was very cool. These are just — the teams have just started to work together.
Auth0 is a younger company built on a newer technology stack. It has fewer products and features. Okta is a more mature company with an older tech stack. It has more products and more features, some coming via smaller acquisitions in the past.
Auth0 has been successful and built its developer following because it's a well-built and well-documented product. Its user experience and developer experience are equally great. Monkeying with a platform this pristine carries risk: developers are a notoriously finicky bunch with little tolerance for hiccups or other inconveniences. Problems are bound to occur in an integration this complex — will Okta drive away its coveted developer customers? The success of the Auth0 acquisition largely hangs on the answer to this question.
A $6.5 billion price tag to acquire Auth0 is expensive for Okta. With a high price comes high expectations. Auth0 is expected to generate $200 million of Annual Recurring Revenue (ARR) by the end of Okta's (current) 2022 fiscal year. To reach the value it's expected to return, this acquisition can't fail. The most likely reason it could fail is a delayed or poorly executed technical integration.
Longer term, the upside for a combined Okta and Auth0 is high — particularly if they execute well across the board. I expect them to succeed based on Okta's strong track record of execution. Time will tell, and there's still a long way to go.