Okta, Inc. (OKTA) Earnings Call Transcript & Summary

Look, the chat was originally supposed to be with just Eugenio. And the goal is to still keep most of the time dedicated to Auth0. But given the news out yesterday, Todd did reach out proactively to jump on the call and kind of address investors head on. So Todd, Eugenio, thanks for joining us today.

That's great to be here. Thanks for having me.

I am going to kick it off with some few questions for Todd before we move to Eugenio. But guys, again, this time is for you. So please ask questions through the chat box. Management only requests that you keep them focused on the Auth0 side of the business. And then also, you guys know the drill right now, we're sending out a quick 3-question survey at the end. This is for feedback for management. It's important to them. It's important to us. So please, please fill out the survey. And with that, let's kick it off. So Todd, thanks for jumping on.

Yes, for sure. No problem. Appreciate it. Good to be here.

Great. We all saw the news out yesterday. But just kind of give us the lay of the land. What exactly happened? Was it a breach? Was it not a breach, some are calling it a compromise. What exactly occurred? And just why not give us some more insight into what was going on back in January.

Yes, for sure. So what happened was, we had a sub processor, it's called a sub processor. It's like an outsourced support team that help us supplement our support of our Okta customers. And in that support center, there are about 40 support agents that take calls and do tasks for things like password resets and filing cases and looking at solutions for cases and things like that. And that support center had a breach. And they got -- the hackers got into that support center and got access to those computers and were able to view and control the computers. And so the implications for Okta are that it's essentially the whatever a support person could do or support engineer could do, the hackers could do on their behalf. And so the blast radius of that is constrained to the permissions that support engineer has. So that's what we've been really focused on is -- first of all, we've been focused on customer communication and making sure that customers understand what's happening and understand the dependencies and any impacts to them. And based on the access that those support engineers have, it kind of drives all of the downstream impacts.

And just for investors, the way to think about it, your support engineers, they're kind of limited in...

It's like a kind of a Tier 2 support, which is low level support.

Great. And then you said you're focused on the customers. Just talk to us about the first 24 hours since the news drop. Obviously, we saw a lot of focus around MFA. Some people possibly need to reset passwords. I think someone even mentioned Log4j. But aside from that, how has the initial reaction been from customers and even maybe some prospects?

The reaction is just one of collaboration. They want to understand like all of their technology and their stack. They want to understand the dependencies and the risks and how it fits together. And so our focus has been on giving them as much information as fast as possible, whether that's through direct customer interaction or whether that's through blog posts or whether that's through various other channels, CSMs, et cetera. And that's the spirit. It's like, here's what we know. Here's how it's evolving. Here are the risks. Here are the whole situational awareness and to help customers manage through all issues because we're -- we work with customers on security issues that they're having in their environment that Okta can help them solve. And so this relationship where we work with customers on triage and through these things is something they value in us. And when a situation like this happens, it's no different. They want to work with us to figure out the impact and how they can mitigate it and move forward.

And we saw a lot of those blog posts, the communication you were putting out yesterday. Is the way to think about it and like the customers understand that this is still evolving, is case closed, it all behind us? Like where are we in that process?

Yes. I think these are -- I mean, you can imagine that we're very -- we have a whole team that is totally focused on security. So the team is it's continuous. They're always looking at all issues and threats and opportunities. So clearly, they're focused on this. This is their major focus. And it will be that way for a while just to make sure we understand everything happen down to every last detail, every implication, every customer impact. You saw in the blog post we released last night, one of the things we're doing is we're actually -- there's only in the time frame when this was an issue back in January, which was a 5-day time frame in January. We know, we log what all of those support engineers do. And so we know which customers they interacted with, whether it was the hacker doing that or whether it was the customers -- or the customer support agent. So we know what the exact number of customers that theoretically had anything, their environment, their Okta users potentially viewed or a password reset or anything, so we can tell them exactly what happened. And that's what we're in the process of doing now. Because the way the system is designed, there's -- the hacker can't see the passwords and they can't receive the resets and they can't -- so that's -- the system is designed like that. So it really constrains what's possible from a risk perspective, which is one thing that customers find really comforting.

Right. So it seems that even though a service engineer had access, they're very limited into what they can see from a customer data perspective.

Yes. It really just -- they can just see the users, like the list, like a user ID.

And when we kind of look out past this initial news release, obviously, you guys aren't updating the guidance. But how should investors think just about the potential impact, if at all, the sales cycles and maybe just the future growth trajectory over the next 12 months?

We're very confident in the growth trajectory. I think we've built the company with this partnership with customers for a long time. And I think that customers are -- if you're running the business today, it's one of the reasons we're so successful is because there's so much technology and we do such a good job helping them capture the value of that technology. And part of that is a collaboration through new initiatives, through potential issues. And I think they'll see that we're really a strong partner in that regard.

And kind of just doubling down on that last comment, we have spoken some customers since the news dropped, like what is your #1 initiative kind of to reinstill confidence in your customer base and future potential customers that they should still be trusting Okta with their identity needs going forward?

Well, it's -- I think it's always been our #1 continuous ongoing priority. It's customer success and trust and confidence in Okta. It's really important to our brand, and we've built a very, very strong brand around this, and I expect that to continue.

And just kind of very quickly before we do switch gears over to Eugenio and Auth0. My last question for you is just, is there anything else that maybe I didn't ask about that you kind of want to tell investors or feel that they should know regarding kind of the last 24 hours when the news sets out?

No, I think we covered it. I think you have -- and when I talk to customers, the only thing maybe the sentiment is that they really know, to be successful, they need partnerships. They can't do it on their own. The vendors have to work together, the vendors have to work with customers. And I think that we're -- you asked about priorities. The top priority is making sure we continue to maintain that relationship and that we -- that trust and that confidence that we're working hard for them.

Well, Todd, thank you for jumping on last minute.

Yes, I'm happy to join you. It's nice to see you.

I know investors definitely appreciate it. But now actually, I think we're going to talk to the star of the show. So Eugenio, maybe some easier questions. I did just kind of want to start off high level. We're still in very early innings of this very, very large customer identity access management opportunity. But how would you characterize the demand environment now that we're almost 3 months into 2022? And maybe just how does that demand environment compare to a year ago and even pre-COVID?

Well, demand has been sustained, it's strong, strong throughout, through COVID, through last year as we were going through our integration as becoming one company. And I think there's clearly a need for the problem that we solve and even more so in a world where more and more of our lives move to a digital world. And if you think about it, think about your day in your life, professionally and personally. How many times you don't need to prove who you are to technology? Very few. It's very, very few, if any, application that doesn't need to know who you are and based on who you are do things for you differently, perhaps. And so it's -- the money has been very strong. And it is even a more realization as companies continue to transform digitally moving forward.

And we've sort of been asking everyone we posted a fireside chat with this question, but there's a view that the pandemic may have accelerated some demand for certain areas of software. Did Auth0 experience any pull forward of demand, maybe as organizations kind of all of a sudden spun up all these apps during COVID because that was the only way to service their customers in this new norm?

There's been some tailwinds, I would say. But I wouldn't say that it's -- that it was like a massive acceleration. I think now there's a realization that we're behind. And if you look again at the world surrounding us, most applications are still struggling to provide a great user experience when it comes to authentication. Now there's been this tension throughout history between security and user experience. You can have a very, very secure application that prompts you for credentials every 5 seconds, which is a terrible user experience. Or you can have like no security at all, it's great user experience, but not very secure. And so we looked at this world as being at odds. And part of what we do is precisely this maximization of these 2 variables that seems to be at odds. And if you look at what systems are doing today, they are not great in user experience. I know you, but I'm sure you have like many, many passwords still in a world where you can -- you don't have to use passwords anymore. There's technology that would allow you to not use passwords at all. How come nobody is using that? Or how come the vast majority of companies out there are still not doing that. Well, that's what's propelling our business as well. It's taking them to 2022.

And so it sounds like demand is strong. We might even be behind. And you guys have this awesome tech to kind of figure out and make my user experience much better and secure. I want to touch a little bit on the competition. We've always heard from you guys that it's kind of this buy-versus-build scenario. But what would you say are some of these like key drivers that are causing more customers to outsource this aspect of their application build Auth0 instead of how they used to do it in the past and kind of build it in-house?

Yes. So totally the biggest competitor for us, it's build yourself for whatever was there before. Because it's very rare that we start with a customer with a greenfield scenario. So unless you're a start-up and you afford to start from scratch, like literally nothing. There's no installed base, there's no legacy. The vast majority of the world has something because, again, authentication, you cannot live without. The 2 biggest drivers, I would say, for choosing an expert like us, Okta, we are experts in this domain. The reasons customers choose us is because, first of all, they have other problems to deal with and so there's an opportunity cost. One hour of a developer or technologies that is spent building this thing, it's an hour that you're not spending building a better system for your customers, whether it's in financial services, on transportation, or health care or whatever, the domain expertise in whatever they're solving, they all need authentication and authorization, but that's not their core competence or the core concern. So that's one. And I heard some time ago that there's like a demand for 300,000 developers in the U.S., and we only meant like 30,000 every year. So which means that for the next 10 years, we will not cover that gap. So anything that makes your developers more productive will be a big appealing thing for you to consider. And certainly, this is one of those. But the second component is precisely the security expertise and the posture because as more and more of our lives move to the digital world, there's going to be more value there and it's going to be more attractive for bad agents. And that requires expertise and requires dedication. We are an entire company of 5,000 people dedicated to this single problem, which cannot -- it's very difficult to match everywhere else. And so we are going to be providing you a better, more robust, more available solution that you can do yourself. And more importantly, faster because time to market is another important driver.

And what about just from like a pure competition perspective, competition from other identity vendors, which of the well-known players, maybe a Ford truck or a [ ping ] you see the most in the market? And what would you kind of describe as Auth0's like competitive differentiator for why someone is going to choose your solution over a competitor?

Well, for the last -- my mom used to work in a data center with a mainframe, and that was like 50 years ago. Don't tell her. But she had user name and password, and she used an IBM mainframe. And so there was -- there are identity systems since there are computers. So we encounter every brand, every company. Every company has something in identity and access management. And so we encounter a lot of them. But a lot of the times, these systems which have been there for ages have not really evolved with the times and with the times that we live in today. And so you end up finding some of the vendors that you mentioned, but also with lots and lots of code workarounds and things around to just complement what they were doing out of the box with what they require. The biggest differentiator in Auth0 and in Okta is, first of all, we are a company -- we are a modern company for modern times. We are cloud-native companies or we were cloud-native companies. So we are now one company that understands how technology is -- what's today's world in technology and what's coming in the next 10 years. But also more specifically, we focus on perhaps the biggest, biggest change is that we don't want our customers to become experts in identity. And so if you look at some of other approaches in the past, those products have been built primarily for identity and access management gigs. People who are like want to know the nitty gritty of the standards and the corner case, use case, we are kind of the opposite. Our main value is that we don't require anybody to be an expert because we are the experts. So simplicity of use is one of a big design considerations for -- you can see this both in Okta and Auth0. It just works. You don't have to spend like 6 months configuring and deploying an expensive professional services. All of that, it's out of the box, it just works. You turn it on. There's new deployment. We have cloud SaaS companies. So simplicity is a big, big differentiator. The second differentiator, which is equally important and very difficult to do, which is probably why we kind of nailed that component too is the extensibility. Because 80% of the -- or 20% of the use cases, it happen 80% of the time, it just works. We don't need to do anything. But this is a long tail of integrations or special cases, which every customer does. And for those, we give you the power to customize and extend the platform without having to wait for our road map. Customers is like Excel spreadsheets. In Excel spreadsheets, there's lot of formulas, but you don't need to enter yourself. The average, it's already built in into Excel. But when you need to do your own formulas, Excel allows you to do your own formula and put your own -- essentially code the formula. We have essentially the same capabilities in our platform where you can take our platform for common sign-ups, log-ins, social log-ins, progressive profiling and a few other requirements in our world. We just give it to you. But when you need something special, you can easily extend it without having to do Frankenstein things.

And you talked about how you were 2 cloud native companies, you're now 1 company. But let's go back to how you weren't always part of Okta. You were just Auth0. And Okta has their own SIEM solution, which they still seem to kind of be investing in pretty heavily. So how does the Auth0 offering kind of complement existing capabilities from Okta? And if I'm a customer, and am I buying either the Auth0 SIEM features or the Okta SIEM features? Is there a dynamic where I buy functionality from what used to be both your separate offerings? How do we think about that?

Yes, it's a great question. And I get that question a lot. So we don't seem to be investing. We are investing. I mean we're very crystal clear on that. We are investing on both platforms or on the 3 platforms, if you will. In Okta workforce, in Okta SIEM and in Auth0. And the reason being that between the 2 platforms are complementary. So you might think that identity and access management is like one thing. It's authentication and authorization. But there's a lot of nuance and there's a lot of details, and there's a lot of use cases. So the first big classification is workforce and SIEM. Clearly, Okta has the strongest product in workforce. Now if you double-click on SIEM, SIEM is actually made up of 3 clusters of use cases. And so it's one use case, which we call consumer applications, which we all know because we use them all the time. You go to a newspaper, you buy tickets in an airplane or watching TV on Netflix, that use case, consumer apps. The second cluster is what we call SaaS applications. So Zoom will be a great example of that. Applications technology that is being consumed by mostly companies. So it's kind of like the supply side of workforce. So it's the other side of the coin of workforce. That's another category. And then there's a third category, which we call external collaboration, which includes both consumer use cases and business cases. But the main difference being that the identity of the individuals interacting with that technology is not self-managed. So when you subscribe to a newspaper, you don't call the newspaper and say, hey, I want to become a subscriber. They don't send your papers to fill in or any of that. You just do it yourself. You sign up on whatever website and you do it yourself. But when you get a mortgage or when you do certain operations that require like some preexisting relationship with the entity, you don't go to the website and sign up. You just see forms, you go to a bank and then you get an online account that is correlated with that. That's the world of external collaboration. It turns out that Auth0 is optimized for consumer apps and for SaaS applications, which is where developers -- there's a lot of development happening. And what we call Okta SIEM, the Okta SIEM platform, it's actually optimized mostly for the external collaboration use case. And so there's, of course, like some similarities in use cases in terms of life cycle management of a management entity from workforce that go into managing entities in external collaboration as well. What I'm saying with this is that between the 2 platforms, Auth0 and Okta SIEM, we can cover more surface, these customers with use cases in the 3 buckets that I just mentioned. Some of them more on one or the other, it doesn't matter. So we are investing in both because with both platforms, we can cover the full spectrum of requirements that our customers have.

And I think one of the main focus from investors is with Auth0 onto the Okta umbrella, there's this natural cross-sell opportunity. How would you kind of just characterize how that cross-selling has been going with the existing customer base? How successful have you guys been with it to date? And just help us understand like what is the ASP uplift or the monetization opportunity you're seeing as customers start to purchase across both Auth0 and Okta?

Well, it's still a little bit early because our combined go-to-market teams barely started, really, even though we've been formally together for, gosh, like 9 months now, 10 months. The sales systems and the sales teams have only started working like being one at the beginning of the year. And so it's been early, but it's great to see already customers using which were Workforce customers now purchasing Auth0. Auth0 customers purchasing Okta Workforce. So that was already happening. And our -- we had a fantastic last year. I think a couple -- at least from the Auth0 side, what has happened is that either with any trepidation in larger organizations to purchase Auth0, now there isn't because we are a public company. We are a company of experts. This has been like the validation in the market that we are the true experts in this domain in the full spectrum of requirements. And so there's been early wins, which is awesome. The business has not slowed down at all. On the contrary, we've been able to sell into larger organizations, but before maybe we're a little bit more reluctant buying from a private company like we were. And last year, we were both named leaders in the Gartner Magic Quadrant, which is another industry validation of -- it's not just us saying, hey, we are leaders. Gartner is saying the same thing. And so it's early, but we are very excited about what's going to happen this year.

And maybe just talk about some of those early wins. I'm assuming it's going to go back to the use case answer, but why all of a sudden do these Okta customers choose to buy SIEM from Auth0. They could have always bought SIEM from Okta. So what is it that's driving the cross-sell now when the cross-sell could have always existed before Auth0 was under the Okta umbrella?

There's 2 things I would say. The first one is the classification of use cases and based on what I described before, hopefully, you get a sense that even though we were calling it SIEM, there's 3 flavors of SIEM. So customers are doing different things. And we have customers today, they're using all of that, using Okta Workforce, Okta SIEM and Auth0 because they happen to have all of those use cases under their umbrellas. But there was another aspect of this -- what was the -- repeat the question for me, please?

Why all of a sudden are the early adopters of Auth0 choosing to purchase SIEM today when they could have always bought SIEM from Okta. What's that driving the cross sell now?

The main reason is a different use case, for sure. It's also an awareness thing. Auth0 was a couple of years behind Okta and now being part of the Okta brand. All of a sudden, there's already a bigger awareness that we exist this is a big, big market. It's depending on who you read and where -- it's anywhere between $30 billion -- it's roughly $30 billion of total addressable market. And even combined, we are just a very, very small percentage of that market. So there's an awareness component of this as well, which is, I don't know that these existed.

I'm going to wrap it by 2 questions very quickly because we're short on time. But we have the sales team unified under Susan. I think everyone could sell everything now. What are kind of some of the key initiatives that you're most excited about to kind of continue to propel the strength that we've seen in Auth0 recently?

Initiatives in -- do you mean like in the sales initiatives? Well, our biggest priority is global expansion and expanding into the federal market. And so those 2 are important. Auth0 had a percentage -- not in absolute numbers, but percentage-wise, why is that a bigger component of an international market, and that's something that we can -- is a big, big opportunity. Because the problem we solve is not exclusively in the U.S. It happens everywhere in the world. Second initiative, it's expanding into the public sector.

And then the next one is from an investor. It sounds like the external collaboration is more a niche use case than consumer apps and SaaS apps. Is the expectation that the majority of the customer identity revenues are going to be driven by Auth0 rather than Okta over time?

No, I don't think so. The -- it might sound like it's niche, but there's like plenty of customers in that category as well. They also tend to be like a little bit more involved with either regulation to use financial services and service regulations or integration with more complex. So maybe the number -- in number, you have like a larger number on the other 2 because it's 2 out of 3, but they tend to be more bigger projects as well. So I wouldn't say that it's larger revenue in one or the other.

And just the last one from an investor and maybe Todd could jump in on this one also.

Still here.

For every dollar that a customer pays for Okta, can you guys estimate the value associated with maybe the data or the app telemetry that you guys get from that?

I think it's very valuable. And I think that we're -- we have a lot of ways we could actually build products to make that value accrue to the customer actually. It's a very interesting area for us. Basically, we've been focusing a lot on gaining more customers, getting more traction, providing more capabilities and building more data. And I think over the next few years, you'll see us spend more time on capabilities that will actually translate that value back into customer value, which will, of course, increase the value we can -- the value we provide and the value we receive.

Amazing guys, I want to keep you guys on schedule. But thank you so much, Todd, thank you for jumping on last minute. Eugenio, thank you for joining us as well. And again, thanks everyone else for joining and being part of this fireside, and we'll speak to everyone soon.

Thank you very much. Thanks for having us.

Thanks for having us.

Bye.