I mistyped my password, so now Verizon Wirelesss website wants to know the name of my first pet. I type the cats name. No go. Should I capitalize the first letter of the cats name? Wait, maybe it was the name of one of the tropical fish I had as a kid! Do they even count as pets, and was I thinking of them when I answered the security question? Anyway, which of themthere were so many
Before I know it, my account is locked. Now Ill never straighten out my mobile bill. Im in authentication hell.
Ive got lots of company there, including, most likely, you. We face this doom thanks to choices weve collectively made over the past two decades. First we transferred every aspect of our lives online and onto our many devices. Then we locked them all up using passwordsa security technique formerly reserved for third graders clubhouses and magic gates.
I always assumed wed have outgrown passwords by now. But despite the rise of new techniques like multi-factor authentication (usually codes sent to phones) and fingerprint ID, passwords refuse to vanish. In fact, as cloud services have become the default method of software deliverywith remote servers running programs over the network, meeting our every need on phone or screenmost of us have more passwords than ever. Before you do whatever you want to do, anywhere and everywhere, you still have to log in.
I also always assumed that, if we were going to be liberated from passwords, it would be thanks to some marvelous technical breakthrough or a consensus around some open public standard. Surely the prophet to lead us out of password bondage would be the sort of bearded genius who built the internet in the first place, or some wild-eyed outsider a la Richard Stallman, coding us to freedom with cryptographic wizardry.
Now, as Im sitting in a South of Market conference room on a fogged-in San Francisco morning in August, feeling my phone vibrate with your-payment-is-late notifications, Im wondering: What if the path to a password-free future gets discovered not by some hacker-genius, but rather by a firm in the decidedly unrevolutionary world of enterprise software? And what if the leader of that exodus is Todd McKinnon, the straight-backed, straight-talking engineer sitting across from me?
Okta was founded in 2009 by McKinnon and Frederic Kerrest, a couple of SalesForce veterans who became convinced that the cloud was the future. (An okta, from the Greek for eight, is a meteorological unit of measurement for cloud cover that divides the sky into eighths.) At SalesForce in the 2000s, theyd seen the cloud future, in which companies big and small would willingly give up their servers and software licenses and hand all the headaches over to what we now call software-as-a-service (SaaS) vendors. Such transition points, McKinnon knew, were the moments in the grand cycles of technology when you could start new companies that could get big fast. He wanted to do that. In every generation, he says, if you want to make something huge and impactful and lasting, you have to take that shot, right?
McKinnon quit SalesForce, connected with Kerresta programmer-turned-businessman whod taken a leave from SalesForce to get an MBA from MITand started sketching out startup ideas. People, including his wife, told him he was crazy. He prepared a PowerPoint to explain why he was not.
McKinnons rationality is slablike, Vulcan in its imperturbability; with just a little work on the ear tips hed be a ringer for Spock. That would make the garrulous Kerrest, who is now Oktas COO and talks at twice McKinnons speed, something like the companys Bones McCoy.
First, the two men thought theyd help corporations monitor the performance of their off-site software service vendors. But that problem felt small, and the market turned out to indeed be small, and one day McKinnon woke up with a better idea: They would solve The Identity Problem.
To most human beings, the identity problem sounds like something they might wrestle with in church or in therapy. In the software industry, it is a much more practical matter: How do you know who a user is and what kinds of things that user is authorized to do? The question has dogged system designers for decades, and mostly they have punted, sticking with a username/password approach that dates back to the era of time-shared minicomputersand applying it to an ever-widening range of problems for which its less and less appropriate.
Kerrest says, People have daisy-chained their bank accounts to their email address, and theyre using their email password for the travel site. Well, the travel site just got hacked by someone else. And if that someone cares, theyre going to get into that bank account.
The good news is, Okta really does seem to be making methodical headway on The Identity Problem. The bad news is that, for now, its solving it for your employer, not for you.
Heres the way Okta works for most of its users: They start their workday, they log in onceyes, with a username and password, most of the timeand theyre done with logins. Okta takes them to a home screen (desktop or phone) which connects them with a single click or tap to all the applications their workplace makes available. Users can sometimes add personal apps, too. As McKinnon told a reporter in 2014: You can have a crappy experience with 60 different passwords, or we can give you a good experience with one. Passwords really need to die now.
That such a single sign-on approach would become a necessity was crystal clear to Oktas founders from day one. When companies kept servers on their premises and maintained and upgraded their own software, there was a natural limit to how many different applications they were likely to run. You couldnt afford to have more than, say, eight to ten applications, says Ben Horowitz, who made the first investment in Okta in 2009, right as his own VC firm Andreessen Horowitz was launching, and who has sat on Oktas board ever since. When you move to the cloud, you just end up with more than an order of magnitude more applicationssometimes hundreds of them. Its so easy to try out that new lead-management tool or meeting schedulerlets just give it a whirl! Suddenly the minor task of keeping passwords straight becomes a major headache. If somebody quits, Horowitz says, then getting them out of all hundred systems is a nightmare, if youre doing it by yourself.
Okta wasnt the only company to see the opportunity in building single sign-on systems and tools to manage them. There were existing identity-management providers, like Ping Identity and Centrify, that had emerged in the pre-cloud era; other startups, like OneLogin, were working the same territory. Before long, the Okta founders old employer SalesForce was getting into the act, and then, in the last couple of years, Microsoft muscled in. Today, Microsoft is probably Oktas biggest competitive challenge. (Oktas chief product officer, Eric Berg, is a Redmond alum.) In one of the mini-dramas that occasionally erupt in the normally staid enterprise world, Okta was briefly disinvited from a Microsoft conference last springeven though Oktas system connects hordes of users to Microsoft services every day.
McKinnon says the office software giant set up a Kill Okta room on its campus this year. His friends asked: Arent you scared? He thought all the competition just validated Oktas original plan.
Okta has taken roughly $230 million in investment to date, with its most recent round in 2015 pegged at a $1.2 billion valuation. Meanwhile, the company has grown to more than 800 employees, and integrates with 5,000 popular software services. Okta keeps its financials close to the vest, but in June Reuters reported it had hired Goldman Sachs to begin exploring either an IPO or an acquisition. When I ask McKinnon about that, he zips up like a prudent CEO: If someone talks about going public, theyre not going public. Ill just leave it at that. Which is either an opaque koan or a paradoxical, roundabout confirmation.
With all this growth, Oktas leaderslike many software innovatorsstill sometimes struggle to describe what exactly they do in language outsiders can understand. They may top the identity management space in research firm Gartners magic quadrant, which ranks competitors, but they have their own identity issues. Okta is the foundation for secure connections between people and technology. It enables any company to adopt any technology. Its always on and aims to connect everything.
These mission mantras all sound great. But from the front, Okta just doesnt look like much more than a spiffy password manager. Its public face is simple, almost invisible. (Some companies pay to strip Oktas name entirely from the screen. You might already be using it without knowing.) And there are tons of password managers out there already. Theyre built into your browser, and you can choose from a bunch of more elaborate free or low-cost options for personal use. But most of them are from small companies and have kludgy rough edges, and they all require you to serve, in a sense, as your own IT department, making fine-grained decisions about details you might not want to think about. As a result, most of us dont use them.
With Okta, the simple face of a login tool hides a ton of complexity. It hides the challenge of wiring up a maze of apps, organizations, and user populations so theyre accessible yet secure. It hides adaptive security techniques, which use pattern-matching to flag suspicious login attempts (as your credit card company does). It hides adaptability. Building a platform that can be flexible and change quicklythats the secret sauce, McKinnon says. Companies want the freedom to migrate from one tool to another, and Okta, he says, insulates them from the painful part of that change. He leans back with just a touch of weariness in his eyes. The first seven years of the company have been doing a lot of the hard work on the foundation. Now we can do interesting stuff.
Like what? Okta is helping companies manage the erosion of boundaries between their insides and and the outer world. Okta customers I talked to are increasingly using its services to manage relationships with large groups outside their companieshundreds of thousands of contractors, millions of organizational members. (For instance: Retail giant Clorox, which uses outside reps who check up on supermarket displays. Or MGM Resorts, which built a rewards program for its customers around Oktas tools.)
More interesting stuff is coming down the pike. Okta is unveiling new API capabilities at its annual conference this week in Las Vegas. For example, Pitney Bowes, the venerable postage-meter company, is building a new mailing label system using these new tools, and inside Okta, people talk about applying them to everything from home internet-of-things systems to massive sensor arrays deployed by energy companies. Okta may start by helping employees jettison a lot of redundant passwords, but its ultimate aim is a lot bigger: the construction of a comprehensive system for authorizing passage, by people and programs, through all the new gates were building in Cloud Land. Think of it as the new digital passport office, except the borders it enables crossing are made of code.
Where does that leave you and me on our journey out of password bondage? Right now, you cant just sign up for Okta as an individual. When you raise this question with Okta executives, they will all take a similar far-off gaze and offer some variation on Well get there. Jon Todd, the companys boyish chief architect, says Okta is busy enough right now expanding to take care of external consultants and other loosely affiliated usersbut hes itching for the company to tackle the bigger identity problem for the rest of us, someday.
If and when it does, it has one big edge. For Okta, as product lead Eric Berg explains it, identity is the hub of its architecture, not just a single spoke of a system dedicated to something else. Unlike its bigger competitors, Microsoft and SalesForce, Okta doesnt have any applications or suites to sell you or your company. It has no incentive to lock you into its silo or its stack or whatever other metaphors the software future may bring. If anything, Oktas interest is in connecting its customers to as many other services as possible.
Corporate customers whove lived through previous eras of lock-in by IBM or Microsoft know this in their guts. For something like identity management, a lot of them want a neutral vendorand Okta embraces the part of enterprise softwares Switzerland. Thats a role it couldnt play if it were acquired by a cloud giant, like Amazon or Google, or by someone with big plans to sell you hardware or software, like Apple or Microsoft.
What about Facebook? A lot of observers have said that the war for online identity is over, and Facebook has won. People use their Facebook IDs to log in to services across the internet. Why would they need something like Okta? My belief is that people own their identity, McKinnon tells me. And the tool that helps unify identity is going to be at the service of the people, and not at the service of an advertising firm.
In other words: If youre going to hand the keys of your online existencefinancial and medical and professional and personalto a single company, it had better be one you trust.
And this is where Oktas heritage as a boring enterprise-software business might be its ultimate secret weapon. This era in tech has been shaped by big companies that figure out how to solve big problems, hand consumers the solutions for free, and then, too often, sell them out on the back end. With todays dominant ad-supported services, the price is right, but you never escape the suspicion that someone is looking over your shoulder, deciding whether to sell your email address or show you some shoes.
If all youre doing is playing a cheesy candy-crushing game, you probably wont care. But when its your identity? You might want to put more of a price on that. If Okta can keep its corporate revenue flowing, you just might be able to trust it not to share or sell your data, or try to upsell you.
Maybe Okta can usher me straight into my Verizon Wireless account the next time I need it without my having to ransack my memory for the forgotten names of guppies. Heck, if they can do it safely, maybe Id even pay them for the trouble.
Photography by: Drew Beechler