On Authentication


Nov 23 | 3471 words, 21627 characters

Introduction

Most of the modern internet greets you with, “who are you?”

When we go online, we’re no longer known as “Richard” or “Advait”. Rather, our computers store giant strings known as access tokens such as “eyJ1aWQiOiJkNGY2MD…X19”. Companies then build personalized experiences around our identities.

On Amazon, we can order a book without having to dig out a credit card. On Facebook and Instagram, we scroll through a dopamine-rich newsfeed with side dishes of targeted ads. On Netflix, we can pick up our favorite shows right where we fell asleep.

The technical term for all these magical feats is authentication (who are you?) and authorization (what can you do?). Most of us experience this magic in the form of sign-up and login pages. Since we interact with them all the time, we take it all for granted.

Many companies feel the same way too. Auth gets viewed as a checkbox - as long as users can log in and use the product with no security breaches - they call it good enough.

I’ve spent the past few years/months working in authentication. It’s normally pretty hard to get excited about authentication but when your whole company is based around it, well, let’s just say that I’m pretty pumped about what the future holds.

In this piece, I’ll explore the current state of authentication, how we got there, and what we can expect looking forward.

A Quick Overview

Both authentication and authorization fall under the umbrella of Identity Access Management (IAM), the system in which the right users have the right access to resources. [0]

Sometimes, it’s hard to know what counts as authentication. Does storing and securing login information fall under authentication? What about verifying customer identity with KYC? Or fraud monitoring / preventing spam attacks? The line between authentication and general security becomes blurry.

Even within authentication, there’s workforce authentication and customer authentication. Workforce authentication are Business to Employee (B2E) systems where an employee can sign in to a corporate portal and access applications like Slack or Gmail. Customer authentication are the single-user accounts we’re used to using day-to-day.

For this piece, we’ll focus on customer authentication and mainly bypass workforce authentication solutions like Okta (without Auth0) and Duo.

To start, let’s talk about the market size for customer authentication.

IBIS World is my default source for market sizes and has the market size of Identity Management Software at $4.5 billion for 2023. That, well… seems small. On the other hand, Okta’s CEO is estimating their customer authentication market at $30 billion.

Okta’s calculation here is a little funky. They take the Facebook’s active user count (4.4 billion) and multiply that by roughly $7 per user per year. That’s a bit high. Granted, Okta has a vested interest to inflate the customer authentication market. After all, they did spend $6.5 billion acquiring Auth0.

The customer authentication market is likely somewhere in the middle. Or more precisely, around $11.88 billion. [1]

Authentication today

Imagine you are a developer and your boss just told you to implement user authentication in the company application.

After a couple minutes of googling, you find a lot of people saying, “never roll your own authentication/authorization”.

It makes sense. After all, you want to avoid staying up all night deciding hashing techniques. Argon2 is harder to crack at the cost of memory, which means that you need to rate limit how many hashes happen in parallel or risk crashing your server. It’s also weaker than BCrypt for runtimes less than 1,000 ms. There’s also SHA-512, Pufferfish2, scrypt with their own set of tradeoffs.

Maybe, your boss wants magic link logins. Sounds simple enough right?

Well, you start considering the case when users generate several magic links at the same time before clicking on any one of them - in this case, do you invalidate the previously generated ones?

That’s bad UX. But if you keep all the previous ones alive and revoke all of them when one of them is consumed, then that can get pretty complicated.

Email clients also become your worst nightmare. Some email clients, especially Outlook, open links in emails to scan them. While it’s a nice security measure, it also means that the email client is consuming your carefully crafted magic link. By the time your user clicks on the link, they’ll be redirected to a link invalid page.

After considering a few of these edge cases, you decide you’d like to remain a productive member of society, so you start looking into authentication providers to get these problems off your plate.

The two largest players in the industry are fairly well known, AWS Cognito and Auth0. [0]

AWS Cognito is the quick and easy solution for authentication.

It’s free until 50,000 MAUs with $0.0055 per MAU afterward. In other words, Cognito takes care of authentication for the price of a coffee.

Feature-wise, Cognito also checks off all the boxes. It supports simple email password logins, single sign-on, and even SMS authentication.

You implement Cognito over the weekend and report back to your boss: mission accomplished!

Everything’s rosy - until one day, your boss pops back in and asks if you can do something about that ugly signup/login screen from Cognito. And while you’re at it, implement third-party authentication like signing in with Google or Apple.

This is where the nightmare begins.

Cognito’s documentation is notoriously bad. Their third-party authentication documentation is 30 steps of “open x console, click y button, and save changes”. The only way to truly understand Cognito is to implement things and pray that you’ve done things correctly.

Cognito is also surprisingly hard to customize. The default UI is baked into their OAuth server and backed by the Cognito API. That means you have three choices - 1) tell your boss “too bad” and make minor changes to the default UI, 2) take the risk of misconfiguring settings when trying to make changes outside Cognito UI documentation, or 3) build the UI from scratch.

Naturally, your first choice is to run away and look for a Cognito alternative, namely Auth0. Unfortunately, you have one more hurdle to clear — migrating out of Cognito. Spoiler: it’s very hard.

For starters, you can’t export users and their passwords out of Cognito. Instead, you’ll need to design workarounds like asking users to reset their passwords or stealthily check user passwords against Cognito and store the password in the new authentication system. Either way, you’re stuck maintaining two systems in parallel for some time. Cognito really doesn’t want you to leave.

Cognito feels like you’re alone in the woods with a half-failing flashlight. In comparison, Auth0 is a well-lit cabin.

The slick UI screams speed, the documentation is elegant, and even OpenAI is using them. So, despite all the migration worries, you decide to move to Auth0.

Implementing Auth0 is just as easy as Cognito, maybe even easier. Any snags are quickly solved by reading the documentation and their universal login product features no-code customizations. It’s lovely. Users slowly trickle over to Auth0 and as you look at the sexy new login screen and dozens of authentication options, life is once again good.

That is, until the end of the month when your boss comes charging into your office with a bill from Auth0. Rather than paying Cognito 0.5 cents per MAU, Auth0’s base MAU pricing starts at 2 cents per user. With additional features, pricing quickly balloons to 15 cents per user. In other words, 10-30x the price of Cognito. Ouch.

And so, you start searching around for new authentication services, even the ones tucked away on the second page of Google search results. You find dozens of services including SuperTokens, FusionAuth, Clerk, PropelAuth, Keycloak, Ory, Stytch, Supabase, and Magic.

Each of the providers offers a slightly different twist on the classic authentication experience. Some like SuperTokens are open source with self-hosting, others like FusionAuth add on biometric authentication, and still others like Magic are industry-specific authentication providers.

Honestly, it’s all quite confusing. So to save yourself some trouble, you pull out the big guns. You start spitting out a bunch of industry jargon to your boss and scare him out of your office. After all, no one really wants to move off a IAM IDaaS that uses JWTs.

Finally, you can put your feet up and relax, if only for the moment. You’ve bought yourself some time before that Auth0 bill comes back to haunt you again.

How did we get here?

Identity is a feature

At first, authentication was lumped into the unwieldy potpourri known as IT. You had the same company set up your Ethernet and also build your authentication system. In fact, the primary market for authentication was workforce management. In other words, you wanted to make sure that only employees could sign on to your system and access private data.

This led to early authentication being more of an IT appendage rather than a standalone product. Early efforts in launching an authentication-focused company ended in quiet death. The first major breakthrough was Firefly, an early pioneer in personalization and privacy technology. Three years after founding, they were acquired by Microsoft in 1998. The technology formed the basis of the Microsoft Passport product.

Brian Arbogast, a VP at Microsoft, said, “More and more, when people went to Web sites — to shop, retrieve news stories, download software or participate in chats — they had to log in, giving their name, password and, often, additional information. There are so many user names and passwords that people have to remember today that it can create a pretty frustrating experience… Authentication services like Microsoft Passport are designed to help transform today’s Internet and computing experience by enabling single sign-in to multiple sites and services with one secure password.”

Judging by the fact that most consumers today don’t even know of a sign-in with Microsoft option, this foresight didn’t translate into actual consumer business success.

Microsoft Passport also made quite a few unforced errors. In December 1999, Microsoft forgot to pay an annual $35 domain registration fee for “passport.com”. The oversight brought down Hotmail, which used Microsoft Passport for authentication.

Thankfully, Microsoft used the principles of Passport to launch Active Directory. By focusing on the enterprise market, Active Directory quickly became the top products that enterprise IT teams used to coordinate identity management.

Identity is a product

Okta took things a step further by unbundling identity management.

In 2009, Todd McKinnon and Frederic Kerrest, both from Salesforce, teamed up to start an application monitoring company. Soon, they realized that the rise in cloud applications would pose unique authentication challenges for IT managers. In Kerrest’s words, “Eventually, somebody had to make sure that we could all sign in to software as it moved online. That had to be useful, right?”

So, they pivoted the company to identity management and also found the name, Okta.

Rather than making a huge futuristic leap, Okta’s unique insight was that large companies were willing to buy best of breed workforce identity software rather than use employee authentication bundled within large ERP contracts from Microsoft, IBM, or Oracle. The catalyst for this change was the rise of cloud tools for companies.

To take advantage of this trend, Okta bet heavily in Single Sign On (SSO) technology. A user can access tools like Gmail or Slack from within the Okta platform. One company account to rule them all.

Things started slow, including a quarter where they missed sales forecasts by 70%. But their initial thesis was solid. Sales picked back up and they withstood serious competition from Ping Identity, Microsoft Active Directory, and even Salesforce. In McKinnon’s words, “the journey of a thousand miles begins with someone who has no idea how long a thousand miles actually is.”

In 2017, Okta went public and grew to a peak valuation of over $40 billion.

The rise of customer identity

The next large authentication success story came from Auth0.

In 2013, Eugene Pace would start Auth0 with co-founder Matias Woloski. In Pace’s words, “nobody cares about authentication, but everybody needs it.” More specifically, he was referring to customer identity authentication - one where companies needed to create and authenticate user accounts.

Part of what made Auth0’s offering so compelling was their business model. Rather than the traditional top-down sales model, Auth0 started with developers in mind. Their first landing page had the headline, “Identity made simple for developers”.

More importantly, they invested heavily in resources for developers - not just clean documentation but also a great blog that 700,000 developers visit every month.

By betting the company on customer identity and focusing on developers first, Auth0 was acquired by Okta in March 2021 for $6.5 billion.

By combining the two companies, Okta became the unmistakable leader in authentication. Okta now has the best workforce identity product, a market worth $35 billion, and the best customer identity product, a market worth $11.88 billion (or $30 billion based on Okta’s claims) [1].

The Future of Authentication

Recently, the market hasn’t been agreeing too much with Okta’s assessment. Their valuation has plummeted from a high of $40 billion to around $11 billion.

Part of the fall can be explained by a broader decline in the tech industry; companies like Twilio or Shopify have also seen their valuation get cut in quarters. Unique to Okta’s situation is the challenge of integrating two companies with different go-to-market strategies.

Okta's traditional sales team is used to working with CIOs and selling them on Okta's core workforce identity product. In an ideal case, this sales team can also pitch customer identity.

That’s where the ****************questions start - what is the commission percentage in selling workforce identity vs customer identity? Or, what happens to the commission if the company is already using Auth0 customer identity on a small scale? More importantly, does the combined Okta + Auth0 entity keep Okta’s top-down sales model, Auth0’s bottom-up developer first growth model, or do they try both to limited effectiveness?

Two years into the acquisition, few have answers. In a recent earnings call, Brett Tighe, Okta's CFO, said, “over half of the outlook headwind relates to our sales integration challenges. A secondary portion of the reduction relates to the heightened attrition, which resulted in a lower-than-expected capacity build as we move through the year.”

In the past two years, Steve Rowland (CRO), Kendall Collins (CMO), Steve Dozenhoff (Head of Partnerships), and Mike Kourey (CFO) have all left the company.

While Okta is busy sorting through the internal mechanics of the acquisition, there’s a larger threat looming on the horizon. Customer demand is shifting.

Security

One of the main arguments to employing a third-party to handle authentication is security. Third-party auth providers are meant to impart a higher level of security for customers by narrowly focusing on just security and authentication. Unfortunately, Okta has been caught on the wrong side of headlines in the past year.

In March 2022, Okta had a big fright from the hacker group Lapsus$. The hackers gained access by compromising a machine from Sitel, a subcontractor of Okta. Damage was quite limited - control lasted for 25 minutes and the hackers were only able to access two of Okta’s customers' authentication systems. The real damage came from the bad press.

Later in August 2022, Twilio was breached by Scatter Swine. Unfortunately, “Twilio provides one of two services Okta leverages for customers that choose to use SMS as an authentication factor.” As part of the breach, the hackers came away with a “small number” of Okta customer mobile phone numbers and associated SMS messages that contained one-time passwords.

Finally, in December 2022, Okta reported that they found suspicious access to their internal code repositories and evidence that the hackers had copied Okta code repositories (not including Auth0 code). Thankfully, this hack wasn’t accompanied by any other customer data breaches. But it’s never a good year when an auth company is making headlines 3 times in a single year for security breaches.

In response to security breaches at Okta and Auth0, many companies are looking to gain finer control over their data through self-hosting where they transport authentication logic from an auth provider to internal servers.

While the market size for self-hosting is far smaller than managed services, part of our thesis at SuperTokens is that future authentication will be decentralized. Other authentication providers following the same thesis include open-source companies like Keycloak, Ory, and more.

In-house vs. third-party

Authentication also faces a classic catch-22.

The best customers for authentication providers are large enterprises that see serious auth volume and have matching budgets. These enterprises are also most likely to roll their own auth. After all, why pay an auth provider millions if you can spin up an internal auth team for roughly the same cost?

So far, that hasn’t stopped Okta or Auth0 from claiming enterprise customers like FedEx, Peloton, or Toast.

However, absent from the list are large enterprise SaaS companies. Companies like Twilio, Shopify, Stripe and more have all elected to keep authentication in-house. Shopify has 500+ employees with security in their job title, Twilio has 600+, and Stripe with 400+. Much of the headcount comes from non-authentication security but with such a large security organization, it’s easy to implement dedicated authentication.

Over time, the cost of implementing auth has also gone down. While Microsoft’s vision of a universal passport didn’t pan out, third-party authentication is gaining serious traction.

Rather than create a new username and password for every application, users can sign in with Google, Apple, Facebook, Xbox, Nintendo, Twitter, Discord and even crypto wallets. These third-party integrations place the authentication onus on providers like Google, Apple, or Facebook.

Companies that need a specific integration, like sign-in with Nintendo, also have a hard time finding an auth provider that supports such connections (FusionAuth is a rare provider that support Nintendo Identity). In cases like this, it makes more sense for the company to invest resources in authentication to improve user experience.

Pricing

Part of the challenging of picking between in-house vs. third-party comes from authentication pricing.

Being the best customer identity provider comes with many perks, including being able to charge a premium for authentication. While high prices mean more revenue available to put into customer acquisition, they also discourage startups from implementing Auth0 or Okta. Both Auth0 and Okta are used to playing within the IAM market (B2B or B2E) where companies have fewer users and are more willing to stomach high authentication costs.

The rise of Customer IAM (B2C) has caught both companies flat-footed. An average B2C startup sees around 30-50 thousand monthly active users which translates to a ~$20k per month bill from Auth0. Almost every alternative to Auth0 is cheaper.

Conclusion

The world of authentication has changed rapidly in the past ~15 years. What started off as a small subset of IT has blossomed into a full-blown industry, complete with billion dollar acquisitions.

GTM also moved from a top-down CIO/CISO sales model to a bottom-up developer-first model. Perhaps we’ll witness a land grab for user adoption in the future, or a push to empower non-technical teams to implement authentication with no-code or low-code.

Authentication is also becoming more niche. Startups are slowly chipping away at Auth0 and Okta’s market by providing specialized authentication. SuperTokens’ thesis is that the future of authentication is open-source and modular. Clerk proposes that a selection of amazing pre-built UIs is the big differentiator. Propelauth focuses on the B2B authentication market with easy enterprise auth features.

Either way, it’s an exciting time to be in authentication.

Shameless plug, if you’re evaluating auth providers, give SuperTokens a look. I promise you won’t be disappointed.

Footnotes

[0] If there’s one thing to take away from this piece, it’s that the security industry really likes their acronyms.

[1]

To calculate this, we’ll start with the assumption that companies are willing to pay 3 cents per MAU for authentication, or roughly 30 cents per user per year. Auth0 is the leading customer identity access management provider. Their pricing starts at 2 cents per MAU and can reach upwards of 15 cents.

We’ll also make use of a previous Dashlane study on passwords back in 2017. In the study, Dashlane found that the average internet user has around 150 active accounts. It’s likely that there are more active accounts per user today, but we’ll call it 150 for now.

Now, let’s find the addressable population. We’ll be more conservative here and focus on the US market. We can say that only 80% of the 330 million people living in the US are actively online (the other 20% are either too old or too young). That leaves roughly 264 million US internet users.

Multiple everything together and you get $11.88 billion (.264 users x 150 accounts per user x 0.3 dollars per account).