Auth0 Blurs the Line Between Idaas and CIAM with Application

451 RESEARCH REPRINT

REPORT REPRINT

Auth0 blurs the line between IDaaS and CIAM with application authentication platform GARRETT BEKKER 13 MAR 2018 The company has built an identity management platform to help application developers integrate authentication into their custom applications with as little effort as possible. Recent efforts have focused on addressing B2B and B2E use cases.

THIS REPORT, LICENSED TO AUTH0, DEVELOPED AND AS PROVIDED BY 451 RESEARCH, LLC, WAS PUBLISHED AS PART OF OUR SYNDICATED MARKET INSIGHT SUBSCRIPTION SERVICE. IT SHALL BE OWNED IN ITS ENTIRETY BY 451 RESEARCH, LLC. THIS REPORT IS SOLELY INTENDED FOR USE BY THE RECIPIENT AND MAY NOT BE REPRODUCED OR RE-POSTED, IN WHOLE OR IN PART, BY THE RE- CIPIENT WITHOUT EXPRESS PERMISSION FROM 451 RESEARCH.

Auth0 has built an identity management platform that combines some of the elements of IDaaS with a touch of customer-focused identity and access management (CIAM). Its offering is based on a broad range of APIs and SDKs designed to help enterprise customers integrate authentication into their custom applications with as little effort as possible. Auth0 has arguably been perceived mainly as a tool for application developers with very specific authentication requirements for customer-facing B2C applications. However, the company has focused recent marketing efforts on its capabilities with B2B and B2E use cases in an attempt to reach tech executives that are higher up the food chain.

THE 451 TAKE It’s no secret that the last thing most developers want to deal with is security, and authentication is notorious for being ignored or poorly implemented. Thus, we see a clear need in the market for any offering that can help developers get a handle on identity management and authentication, which can be time- and resource-consuming. We have seen several transactions attempting to bridge functional gaps across identity silos, including IDaaS vendor Okta’s grab of Stormpath and Ping’s pickup of CIAM vendor UnboundID. We ultimately expect more blurring of the lines between legacy IAM, IDaaS, CIAM, privileged identity management and even cloud access security brokers as we move toward a more unified vision of ‘cloud security 2.0.’ We view Auth0’s ability to address a variety of uses cases and user groups as a welcome strategy, albeit one that will likely entail direct competition with a wide variety of established IDaaS and CIAM vendors.

CONTEXT In the past several years, there has been considerable change underfoot in the historically sleepy IAM space. Much of this nascent activity has been driven by new architectures, such as cloud, big data and IoT, as well as by digital transformation. The upshot is that we have seen the emergence of a range of new identity-focused vendors, many of which no longer fit neatly into older taxonomies such as authentication, single sign-on (SSO), provisioning and governance. Aside from the traditional approach of segmenting vendors by functional technology, vendors in the broader IAM space now also differ in terms of the specific use cases they address (such as identity verification, anti-fraud or -cus tomer engagement), the user populations they target (employees, partners, suppliers or end customers) and who they sell to (security managers, IT operations staff, marketing officers or application developers). Thus, we have seen the emergence of entirely new sub-categories under the broader IAM rubric, such as IDaaS and CIAM, as well as growing convergence with adjacent categories such as user behavior analytics, anti-fraud and even third-party risk management, making it difficult to define an identity vendor’s most appropriate categorization. COMPANY Auth0 was founded in 2013 by Matias Woloski and Eugenio Pace, who recently assumed the CEO role after the de- parture of former CEO Jon Gelsey. The official headquarters is in Bellevue, Washington, with offices in Buenos Aires (where much of engineering takes place), London, Tokyo and Sydney housing north of 280 employees, including 140 added in 2017 alone. Auth0 doesn’t disclose financials, but claims that revenue more than doubled in 2017. The company has added 1,500 new customers, bringing the total to 3,000 (2,500 self-service customers and 500 enterprise accounts). Auth0 has raised nearly $55m over three rounds from VCs such as Bessemer Venture Partners, K9 Ventures and Trinity Ventures, with the most recent raise a $30m series C in June 2017 led by Meritech Capital Partners. Target verticals include retail, telecom, financial services, manufacturing, software, media, travel/tourism and logistics. Notable customers include Atlassian, Schneider Electric, Mazda USA, the National Institutes of Health and Harvard Business School. 451 RESEARCH REPRINT

PRODUCTS Technically, Auth0 offers a set of APIs and SDKs that can integrate with any application with just a few lines of code, regardless of what the application development stack is – Android or iOS for mobile, as well as Python, Ruby, PHP, NodeJS and more. More recently, Auth0 has added out-of-the-box features accessible via a standard web UI to help broaden its appeal beyond app developers. Conceptually, it can be thought of as an ‘authentication clearinghouse’ that sits between enterprise apps and ID sources, which application developers can connect their apps to in order to authenticate users. Auth0 can broker IDs between social media sites like Facebook, Twitter or LinkedIn for social login; enterprise ID repositories, such as AD or LDAP directories; identity providers (IDPs), such as Salesforce, Dropbox or AWS; and username and password databases. Once an account is created, developers or other users are provided with a single interface that provides step-by-step instructions on how to integrate Auth0 with their specific application – all prepopulated with the configurations, settings and code snippets needed for a particular application platform. In addition to the type of application platform, customers can also choose the type of authentication, such as a standard username and password or social login. If they opt for standard username and password, policies can be set for multiple parameters, such as the number of required characters, upper/lowercase, etc. For social login, developers can specify the IDP (Google, Facebook, LinkedIn, etc.). Auth0 also provides a customized and branded login screen that can be localized in various languages, with minimal work for the developer. The Auth0 interface can send HTTP requests to any connected device, so any resource with a network connection – a mobile device, website, application, IoT device or server – can connect to Auth0. Since it sits in the middle of transactions, Auth0 has the ability to provide value-added features, such as traditional username- and password- based authentication, multi-factor authentication (MFA) and anomaly detection, audit logs, and profile comple- tion (such as Profile Enrichment and Progressive Profiling), without any further changes to the application. For customers that want MFA, Auth0 has its own offering – Guardian – and can integrate with MFA offerings from the likes of Duo Security and Google Authenticator, as well as hardware tokens. A new addition is ‘passwordless authentication,’ which allows users to log in with just an email, phone number or TouchID (instead of a password), or via SMS login with an app like WhatsApp. Auth0 supports SAML; can work with directories from Ping Identity, Okta and OneLogin; and can do SSO to about 20 preinstalled apps. SSO can be used for employees to reach multiple applications, as well as for consumers to reach multiple sites within a broader domain, such as Yahoo or TMZ. STRATEGY In terms of go-to-market strategy, Auth0 initially targeted application developers with self-service offerings as a ‘foot in the door’ to larger enterprise accounts. More recently, Auth0 has focused its messaging, taking a more direct sales and channel approach that targets high-level employees (e.g., CTO, VP or director of engineering). The intention is to transform Auth0 from primarily a point solution for developers addressing a single use case into more of a platform sale. Customers are increasingly asking Auth0 to address hybrid use cases across a combination of applications, such as authenticating customers to externally facing apps via social login, enabling internal employees to perform SSO to third-party commercial SaaS applications, or enabling application providers to provide authentication to enterprise customers using Active Directory or LDAP directories in a traditional B2B scenario using federation. Like most IDaaS vendors, most of Auth0’s customer deployments are cloud-based, although Auth0 also offers a variety of deployment options to suit a broad range of customer preferences, including vertical markets that are still uneasy about storing identity data in the public cloud. Customers have the option to deploy Auth0 in a private cloud, public cloud, on-premises or as a hosted service managed by Auth0. The company also offers professional services that can help customers undergoing digital transformations migrate their on-prem deployments to the cloud without losing any data. Additionally, to address data sovereignty and latency concerns, Auth0 has stood up cloud datacenters in the US, EMEA and APAC, with all user data and transactions resident in those locations and never moved. In terms of pricing, Auth0 offers a free tier for up to 7,000 users per month, with unlimited logins and up to two social IDPs. Developer, Developer Pro and Enterprise plans add more users, support for more IDPs and more secu- 451 RESEARCH REPRINT

rity features (e.g., MFA, anomaly detection, etc.). Pricing is either a monthly or annual subscription, and is based on active users that log in every month, not the total number of registered users. COMPETITION Placing Auth0 within the vast and fragmented IAM landscape is a bit challenging, given Auth0’s hybrid deployment models and focus on authentication for custom applications in B2B and B2C use cases. Thus, we tend to agree with Auth0’s claims that its primary competition is DIY efforts by developers who attempt to build authentication into their apps directly, using either open source tools or parts available from cloud providers. In past coverage of UnboundID and its subsequent acquisition by Ping Identity, we have touched on the nascent CIAM space. The clearest distinction between CIAM and traditional IAM (and IDaaS) is the user populations they serve – the latter has traditionally focused on internal employees, while CIAM addresses the ultimate end con- sumer, typically in B2B2C scenarios. Additionally, CIAM vendors have to deal with notions of scalability, privacy, latency and customer experience that traditional IAM vendors have largely been able to ignore. Thus, one could argue that CIAM is Auth0’s nearest adjacency, and could include IAM vendors that have adopted a B2B2C focus, such as open source IAM platform provider ForgeRock and early CIAM vendors like Gigya (acquired by SAP) or Janrain that have been known more for social login. Auth0 could also encounter new developer-focused identity offerings from Microsoft (Azure Active Directory B2C, launched in late summer of 2016), Google (Firebase Authentication) and AWS (Cognito services). Transmit Security, the new project of serial security entrepreneurs Rakesh Loonkar and Mickey Boodaei, also has an authentication platform targeting application developers, but with more of an anti-fraud focus. Stretching the CIAM definition even further could provide an argument for including B2B2C-focused authentication vendors such as TeleSign (acquired by BICS), VASCO Data Security or relative newcomer Callsign. As Auth0 is pulled more frequently into traditional B2E use cases for managing the identities of employees, con- sultants and partners, it will likely encounter IDaaS vendors such as Okta, OneLogin, Ping Identity, SecureAuth (acquired by K1 Investments), VMware (VMware Identity Manager), Salesforce, Microsoft (Azure AD and Azure AD Premium), Centrify, SailPoint Technologies and BlackBerry more frequently. However, one of the key differentiators between Auth0 and traditional IDaaS vendors is that the latter focus mainly on SSO to commercial third-party SaaS apps like Salesforce, Office 365 and Workday, whereas Auth0 has historically focused on custom-built applications deployed on-prem or (increasingly) in the cloud.

SWOT ANALYSIS

STRENGTHS WEAKNESSES Auth0 has a broad range of application inte- The lines between developer-focused IAM, grations via its APIs and SDKs, and the ability CIAM, IDaaS and even cloud security are to address a full range of identity manage- blurring, and it may take some time for cus- ment use cases and user populations with tomers to figure out exactly which vendor little manual intervention. does what, and how well.

OPPORTUNITIES THREATS With its ability to support applications with To the extent that developers are increas- millions of customers, Auth0 could poten- ingly building custom apps on platforms from tially address substantial opportunities with AWS, Google and Microsoft, there is always deal sizes that are orders of magnitude larg- the threat that native offerings could be er than traditional IAM deals. ‘good enough.’ Addressing B2E use cases more frequently will also invite competition from established IDaaS vendors.