A Company You’ve Never Heard of May Have Solved the Password Mess

We desperately need a better way to handle our online identities. Okta says it’s found it.

I mistyped my password, so now Verizon Wireless’s website wants to know the name of my first pet. I type the cat’s name. No go. Should I capitalize the first letter of the cat’s name? Wait, maybe it was the name of one of the tropical fish I had as a kid! Do they even count as pets, and was I thinking of them when I answered the security question? Anyway, which of them — there were so many… Before I know it, my account is locked. Now I’ll never straighten out my mobiles bill. I’m in authentication hell.

I’ve got lots of company there, including, most likely, you. We face this doom thanks to choices we’ve collectively made over the past two decades. First we transferred every aspect of our lives online and onto our many devices. Then we locked them all up using passwords — a security technique formerly reserved for third graders’ clubhouses and magic gates.

I always assumed we’d have outgrown passwords by now. But despite the rise of new techniques like “multi-factor authentication” (usually codes sent to phoness) and fingerprint ID, passwords refuse to vanish. In fact, as cloud services have become the default method of software delivery — with remote servers running programs over the network, meeting our every need on phones or screen — most of us have more passwords than ever. Before you do whatever you want to do, anywhere and everywhere, you still have to log in.

I also always assumed that, if we were going to be liberated from passwords, it would be thanks to some marvelous technical breakthrough or a consensus around some open public standard. Surely the prophet to lead us out of password bondage would be the sort of bearded genius who built the internet in the first place, or some wild-eyed outsider a la Richard Stallman, coding us to freedom with cryptographic wizardry.

Now, as I’m sitting in a South of Market conference room on a fogged-in San Francisco morning in August, feeling my phones vibrate with your-payment-is-late notifications, I’m wondering: What if the path to a password-free future gets discovered not by some hacker-genius, but rather by a firm in the decidedly unrevolutionary world of enterprise software? And what if the leader of that exodus is Todd McKinnon, the straight-backed, straight-talking engineer sitting across from me?

Todd McKinnon

Drew Beechler

Okta was founded in 2009 by McKinnon and Frederic Kerrest, a couple of SalesForce veterans who became convinced that the cloud was the future. (An okta, from the Greek for “eight,” is a meteorological unit of measurement for cloud cover that divides the sky into eighths.) At SalesForce in the 2000s, they’d seen the cloud future, in which companies big and small would willingly give up their servers and software licenses and hand all the headaches over to what we now call software-as-a-service (SaaS) vendors. Such transition points, McKinnon knew, were the moments in the grand cycles of technology when you could start new companies that could get big fast. He wanted to do that. “In every generation,” he says, “if you want to make something huge and impactful and lasting, you have to take that shot, right?”

McKinnon quit SalesForce, connected with Kerrest — a programmer-turned-businessman who’d taken a leave from SalesForce to get an MBA from MIT — and started sketching out startup ideas. People, including his wife, told him he was crazy. He prepared a PowerPoint to explain why he was not.

McKinnon’s rationality is slablike, Vulcan in its imperturbability; with just a little work on the ear tips he’d be a ringer for Spock. That would make the garrulous Kerrest, who is now Okta’s COO and talks at twice McKinnon’s speed, something like the company’s Bones McCoy.

Frederic Kerrest

Drew Beechler

First, the two men thought they’d help corporations monitor the performance of their off-site software service vendors. But that problem felt small, and the market turned out to indeed be small, and one day McKinnon woke up with a better idea: They would solve The Identity Problem.

To most human beings, “the identity problem” sounds like something they might wrestle with in church or in therapy. In the software industry, it is a much more practical matter: How do you know who a user is and what kinds of things that user is authorized to do? The question has dogged system designers for decades, and mostly they have punted, sticking with a username/password approach that dates back to the era of time-shared minicomputers — and applying it to an ever-widening range of problems for which it’s less and less appropriate.

Kerrest says, “People have daisy-chained their bank accounts to their email address, and they’re using their email password for the travel site. Well, the travel site just got hacked by someone else. And if that someone cares, they’re going to get into that bank account.”

The good news is, Okta really does seem to be making methodical headway on The Identity Problem. The bad news is that, for now, it’s solving it for your employer, not for you.

Here’s the way Okta works for most of its users: They start their workday, they log in once — yes, with a username and password, most of the time — and they’re done with logins. Okta takes them to a home screen (desktop or phones) which connects them with a single click or tap to all the applications their workplace makes available. Users can sometimes add personal apps, too. As McKinnon told a reporter in 2014: “You can have a crappy experience with 60 different passwords, or we can give you a good experience with one. Passwords really need to die now.”

That such a single sign-on approach would become a necessity was crystal clear to Okta’s founders from day one. When companies kept servers on their premises and maintained and upgraded their own software, there was a natural limit to how many different applications they were likely to run. “You couldn’t afford to have more than, say, eight to ten applications,” says Ben Horowitz, who made the first investment in Okta in 2009, right as his own VC firm Andreessen Horowitz was launching, and who has sat on Okta’s board ever since. “When you move to the cloud, you just end up with more than an order of magnitude more applications — sometimes hundreds of them.” It’s so easy to try out that new lead-management tool or meeting scheduler — let’s just give it a whirl! Suddenly the minor task of keeping passwords straight becomes a major headache. “If somebody quits,” Horowitz says, “then getting them out of all hundred systems is a nightmare, if you’re doing it by yourself.”

Okta wasn’t the only company to see the opportunity in building single sign-on systems and tools to manage them. There were existing identity-management providers, like Ping Identity and Centrify, that had emerged in the pre-cloud era; other startups, like OneLogin, were working the same territory. Before long, the Okta founders’ old employer SalesForce was getting into the act, and then, in the last couple of years, Microsoft muscled in. Today, Microsoft is probably Okta’s biggest competitive challenge. (Okta’s chief product officer, Eric Berg, is a Redmond alum.) In one of the mini-dramas that occasionally erupt in the normally staid enterprise world, Okta was briefly “disinvited” from a Microsoft conference last spring — even though Okta’s system connects hordes of users to Microsoft services every day.

McKinnon says the office software giant set up a “Kill Okta room” on its campus this year. His friends asked: Aren’t you scared? He thought all the competition just validated Okta’s original plan.

Okta has taken roughly $230 million in investment to date, with its most recent round in 2015 pegged at a $1.2 billion valuation. Meanwhile, the company has grown to more than 800 employees, and integrates with 5,000 popular software services. Okta keeps its financials close to the vest, but in June Reuters reported it had hired Goldman Sachs to begin exploring either an IPO or an acquisition. When I ask McKinnon about that, he zips up like a prudent CEO: “If someone talks about going public, they’re not going public. I’ll just leave it at that.” Which is either an opaque koan or a paradoxical, roundabout confirmation.

Drew Beechler

With all this growth, Okta’s leaders — like many software innovators — still sometimes struggle to describe what exactly they do in language outsiders can understand. They may top the “identity management” space in research firm Gartner’s “magic quadrant”, which ranks competitors, but they have their own identity issues. Okta is “the foundation for secure connections between people and technology.” It “enables any company to adopt any technology.” It’s “always on” and aims to “connect everything.”

These mission mantras all sound great. But from the front, Okta just doesn’t look like much more than a spiffy password manager. Its public face is simple, almost invisible. (Some companies pay to strip Okta’s name entirely from the screen. You might already be using it without knowing.) And there are tons of password managers out there already. They’re built into your browser, and you can choose from a bunch of more elaborate free or low-cost options for personal use. But most of them are from small companies and have kludgy rough edges, and they all require you to serve, in a sense, as your own IT department, making fine-grained decisions about details you might not want to think about. As a result, most of us don’t use them.

With Okta, the simple face of a login tool hides a ton of complexity. It hides the challenge of wiring up a maze of apps, organizations, and user populations so they’re accessible yet secure. It hides adaptive security techniques, which use pattern-matching to flag suspicious login attempts (as your credit card company does). It hides adaptability. “Building a platform that can be flexible and change quickly — that’s the secret sauce,” McKinnon says. Companies want the freedom to migrate from one tool to another, and Okta, he says, “insulates” them from the painful part of that change. He leans back with just a touch of weariness in his eyes. “The first seven years of the company have been doing a lot of the hard work on the foundation. Now we can do interesting stuff.”

Like what? Okta is helping companies manage the erosion of boundaries between their insides and and the outer world. Okta customers I talked to are increasingly using its services to manage relationships with large groups outside their companies — hundreds of thousands of contractors, millions of organizational members. (For instance: Retail giant Clorox, which uses outside reps who check up on supermarket displays. Or MGM Resorts, which built a rewards program for its customers around Okta’s tools.)

More “interesting stuff” is coming down the pike. Okta is unveiling new API capabilities at its annual conference this week in Las Vegas. For example, Pitney Bowes, the venerable postage-meter company, is building a new mailing label system using these new tools, and inside Okta, people talk about applying them to everything from home internet-of-things systems to massive sensor arrays deployed by energy companies. Okta may start by helping employees jettison a lot of redundant passwords, but its ultimate aim is a lot bigger: the construction of a comprehensive system for authorizing passage, by people and programs, through all the new gates we’re building in Cloud Land. Think of it as the new digital passport office, except the borders it enables crossing are made of code.

Drew Beechler

Where does that leave you and me on our journey out of password bondage? Right now, you can’t just sign up for Okta as an individual. When you raise this question with Okta executives, they will all take a similar far-off gaze and offer some variation on “We’ll get there.” Jon Todd, the company’s boyish chief architect, says Okta is busy enough right now expanding to take care of external consultants and other loosely affiliated users — but he’s itching for the company to tackle the bigger “identity problem” for the rest of us, someday.

If and when it does, it has one big edge. For Okta, as product lead Eric Berg explains it, identity is the hub of its architecture, not just a single spoke of a system dedicated to something else. Unlike its bigger competitors, Microsoft and SalesForce, Okta doesn’t have any applications or suites to sell you or your company. It has no incentive to lock you into its silo or its stack or whatever other metaphors the software future may bring. If anything, Okta’s interest is in connecting its customers to as many other services as possible.

Corporate customers who’ve lived through previous eras of lock-in by IBM or Microsoft know this in their guts. For something like identity management, a lot of them want a neutral vendor — and Okta embraces the part of enterprise software’s Switzerland. That’s a role it couldn’t play if it were acquired by a cloud giant, like Amazon or Google, or by someone with big plans to sell you hardware or software, like Apple or Microsoft.

What about Facebook? A lot of observers have said that the war for online identity is over, and Facebook has won. People use their Facebook IDs to log in to services across the internet. Why would they need something like Okta? “My belief is that people own their identity,” McKinnon tells me. “And the tool that helps unify identity is going to be at the service of the people, and not at the service of an advertising firm.”

In other words: If you’re going to hand the keys of your online existence — financial and medical and professional and personal — to a single company, it had better be one you trust.

And this is where Okta’s heritage as a boring enterprise-software business might be its ultimate secret weapon. This era in tech has been shaped by big companies that figure out how to solve big problems, hand consumers the solutions for free, and then, too often, sell them out on the back end. With today’s dominant ad-supported services, the price is right, but you never escape the suspicion that someone is looking over your shoulder, deciding whether to sell your email address or show you some shoes.

If all you’re doing is playing a cheesy candy-crushing game, you probably won’t care. But when it’s your identity? You might want to put more of a price on that. If Okta can keep its corporate revenue flowing, you just might be able to trust it not to share or sell your data, or try to upsell you.

Maybe Okta can usher me straight into my Verizon Wireless account the next time I need it without my having to ransack my memory for the forgotten names of guppies. Heck, if they can do it safely, maybe I’d even pay them for the trouble.

More Ways To Stay Safe