Why was this an amazing deal?
Okta was co-founded in 2009 by Todd McKinnon and Frederic Kerrest, who previously worked together at Salesforce [1]. In 2021, Okta was a software vendor of identity and access management solutions, to enable single sign-on for employees and control their access to enterprise applications.
Auth0 was co-founded in 2013 by Eugenio Pace and Matias Woloski, who previously worked 12 years at Microsoft [2]. In 2021, Auth0 was a software-as-a-service provider of identity and access management geared at customers.
Okta’s CEO Todd McKinnon told Fortune [3] “I knew I had to buy Auth0 the moment he laid eyes on the login-tech startup in 2013. The initial proposition was a coy one. I emailed Auth0’s cofounders about the possibility of a partnership. That’s how, in a courteous way, you say we want to buy you. At the time, we were really paranoid about competition.”
Auth0’s CEO Eugenio Pace told Fortune [3] “I regarded McKinnon’s proposal as flattering and a validation of our own ambitions. But having just spent 12 years at Microsoft, I wasn’t ready to give up going it alone on his business, at least not yet. So, I declined.”
Okta undertook a second attempt in 2015, which Auth0 declined again. Okta persisted and in 2021, after 6 months of negotiations, Okta announced to acquire Auth0 for about $6.5bn in stock, nearly 1/6th of Okta’s $35bn market valuation and representing an ARR multiple of 32x.
For Okta and Auth0, this merge turned out to be a winning combination.
Okta company profile
In 2009, Okta was co-founded by Todd McKinnon and Frederic Kerrest, who previously worked together at Salesforce [1].
In 2015, the company raised US $75m in venture capital from Andreessen Horowitz, Greylock Partners, and Sequoia Capital, at a total initial valuation of $1.2bn. At later stages, additional investors joined, such as a16z, Khosla Ventures, Janus Henderson Investors, Glynn Capital, and Ron Conway’s SV Angel [5]. Its funding history is summarised below:
| Date | Amount | Round |
| Sep 02, 2009 | $0,75m | VC |
| Jul 14, 2010 | $10m | Series A |
| Aug 08, 2011 | $17m | Series B |
| Dec 04, 2012 | $25m | Series C |
| Sep 13, 2013 | $27m | Series D |
| Jun 09, 2014 | $75m | Series E |
| Sep 08, 2015 | $75m | Series F |
| Feb 21, 2018 | $300m | Post IPO |
In 2017, Okta announced its initial public offering of 11m shares on the NASDAQ Global Select Market [7].
Okta’s M&A programme
Okta has expanded its capabilities through several strategic and visionary acquisitions.
Before its IPO, Okta had little obligation to publicly disclose acquisitions. Since 2013, it had kept a close eye on Auth0, though initial attempts to acquire the company were unsuccessful. However, Okta began “warming up” with smaller strategic acquisitions, such as SpydrSafe and later Stormpath, both of which aligned with its ultimate goal of securing Auth0.
| Date | Target | Deal size | Ref | Reason to acquire |
| Nov 07, 2014 | SpydrSafe | Unknown | [16] | to add a new capability: how to control access to data by employees in mobile apps |
| Mar 06, 2017 | Stormpath | Unknown | [17] | to add a new capability: how to administer user identities and access by way of an API |
| Jul 18, 2018 | ScaleFT | Unknown | [6] | to add a new capability: how to support the new Zero Trust security model |
| Mar 07, 2019 | Azuqua | $53m | [6] | to add a new capability: how to let customers automate using workflows and deep application integration |
| Mar 03, 2021 | Auth0 | $6,5bn | [4] | to add a new capability: how to manage consumers at scale and support consumer mobile apps using platform APIs |
| Aug 02, 2021 | atSpoke | $90m | [6] | to add a new capability: how to govern the processes to administer access rights and priviliges for end users |
| Jun 12, 2023 | Arengu | Unknown | [18] | to add a new capability: how to offer a low-code enviroment for customers to automate secure forms |
| Oct 04, 2023 | Uno | Unknown | [7] | to add a new capability: a personal password manager that allows end users to securely store, save, and autofill passwords for all their personal apps, across multiple devices |
| Dec 20, 2023 | Spera | $100–130m | [6] | to add a new capability: identity threat detection and security posture management |
Okta’s acquisitions were not just financial acquisitions to gain new revenue, to enter new regions or to imorve their financial performance. Okta truly acquired companies in a visionary way to provide them with new capabilities.
Okta’s market
When Okta was founded in 2009, the Identity & Access Management (IAM) market was dominated by traditional vendors: IBM for mainframe and AS/400 systems, Microsoft with Active Directory, Oracle leveraging its SQL database, and CA Technologies for web access. These providers exclusively offered on-premises solutions, requiring customers to install, manage, and monitor the software on their own servers.
As companies like Salesforce were offering a platform operating in the cloud, traditional vendors struggled to adapt to this new paradigm. Leveraging their experience with Salesforce, Todd McKinnon and Frederic Kerrest founded Okta in 2009 to address the emerging need for secure employee access to cloud-based platforms. They entered a nascent market that soon attracted competitors like Ping Identity, ForgeRock, and OneLogin, along with numerous smaller vendors, including several in Europe. Industry analysts coined the term “Identity-as-a-Service” (IDaaS) to define this new market segment.
Between 2009 and 2015, Okta used its funding strategically, expanding its customer base and building a robust value-added reseller network.
Gartner, one of the world’s leading IT market research firms, regularly publishes a Magic Quadrant, evaluating global vendors within specific solution domains based on their vision and market impact.
By 2015, after completing its final pre-IPO funding round, Gartner’s Magic Quadrant for IDaaS recognised Okta as the undisputed leader in the category [10]. Traditional players like IBM, Microsoft, Oracle, and CA Technologies were noted as slow entrants into the IDaaS market, significantly lagging behind Okta’s vision and execution.
Parallel to the IdaaS evolution, a new solution domain emerged: CIAM (Customer Identity & Access Management), focused on digital consumer profiling. The first mover in this space was Janrain, founded in Portland in 2002. Its original concept revolved around a consumer-friendly “Facebook Login” for media websites. In 2006, Gigya was founded in Tel Aviv, with a mission to turn unknown site visitors into known, loyal, and engaged customers.
In 2013, Janrain and Gigya were joined by Auth0, founded by Eugenio Pace and Matias Woloski. Auth0 recognised that consumers were increasingly shifting to native mobile apps for e-commerce, ranging from reading news and booking rides with Uber to reserving AirBnB accommodations and purchasing airline tickets. This represented a major shift from browser-based access to mobile-native platforms relying on APIs (Application Programming Interfaces). In this new paradigm, access control transitioned from humans to devices.
Up to 2017, Okta primarily sold its platform to IT departments, specifically targeting CIOs who implemented the software to control access and provide single sign-on to enterprise applications. However, the rise of API-based services marked a shift in the market. Okta realised the need to enter the emerging CIAM and API access market. While their traditional market focused on CIOs controlling employee access, the CIAM market catered to mobile app developers, requiring Okta to expand its audience to the developer community.
Okta’s CEO, Todd McKinnon, had been interested in Auth0 but was initially unsuccessful in acquiring it. In his visionary move, Okta made an early acquisition of Stormpath in 2017, which targeted developers. As McKinnon explained in 2017:
“Our vision for the Okta Identity Cloud is to become the authentication layer for every app, service, device, and person, giving developers a better and more secure way to manage user access to whatever they are building. Okta is looking to do this quickly, rather than continue to build out a competing product organically. The Stormpath team brings great technical talent and a deep understanding of developer needs, both of which are necessary to provide a world-class developer experience.”
“Developers are becoming major buying centers and decision makers within organisations, and with no signs of that trend slowing, the need for secure application integration is growing. We’ve seen this first-hand from our customers — and that’s what is driving us to build and scale the product, and the team supporting it, more quickly.”
By 2019, Gartner observed that the IDaaS market had matured and begun to converge with traditional internal employee access, coining this expanded domain Identity & Access Management (IAM). At the same time, Gartner acknowledged the growing importance of CIAM and API-based access, with Auth0 appearing on their radar by 2018.
By the end of 2020, just before Okta acquired Auth0, Gartner regarded Auth0 as a serious challenger [10]. While Okta remained a leader, they faced competition from new leaders like Microsoft, Ping Identity, ForgeRock, and OneLogin.
Recognising that Auth0 had become a critical player since its founding in 2013, Okta realised they could no longer delay acquiring the capabilities essential for CIAM and API-based access. This urgency culminated in the 2021 acquisition of Auth0, a move widely regarded as a major disruption in the IAM market.
In hindsight, Okta had already begun building the necessary capabilities with its earlier acquisitions: SpydrSafe in 2014, which provided expertise in mobile app security, and Stormpath in 2017, which brought expertise in mobile app access control. However, it was the acquisition of Auth0 that ultimately enabled Okta to fully tap into this emerging market.
Today, Okta covers the full range of access control domains identified by industry analysts: Enterprise-IAM, Customer-IAM, Identity Governance & Administration, and Privileged Access Management. Okta’s commercial figures of FY 2023-2024 [7] are:
- $2.263bn total revenue, with $471m outside of the US
- Revenues are primarily subscriptions with only 3% professional services ($58m)
- More than 18,800 customers, of which 4,365 customers have an annual contract value more than $100k.
Since Okta’s acquisition of Auth0, the market further consolidated: OneLogin got acquired by One Identity in 2021 and Ping Identity merged with Forgerock in August 2023.
About SaaS valuation
After the dotcom bubble, the IT industry has undergone a significant transformation with the shift to the cloud. The cloud further enabled the shift from traditional software licenses to Software-as-a-Service (SaaS) subscriptions. Traditionally, software licenses were installed and operated by the customer in their datacentre of choice. A SaaS platform is deployed, managed, and run by the provider in a multi-tenant environment. This change has transitioned revenue models from a one-time license fee plus an optional support and maintenance fee (typically around 15%), to a monthly subscription fee structure.
Salesforce pioneered this shift in 1999 with the launch of its CRM platform, the first SaaS solution designed from the ground up. This was particularly advantageous during economic downturns like the dot-com bust and the economic downturn less than a decade later, which negatively impacted on-premises software sales (booked as capex) in favour of subscriptions (booked as opex).
Initially, the SaaS model was dismissed as a temporary trend suitable only for startups and small businesses. It was perceived as being too closed, slow, or unstable for large enterprises, which preferred comprehensive, end-to-end software suites. However, advancements in cloud technologies, which had little impact on traditional software, significantly benefited SaaS. These improvements enabled the model to gain traction and viability, even for large enterprise applications.
Opex vs capex
During the economic downturn, companies faced pressures on capex and began shifting towards opex. The perceived advantages included:
- Better cash flow management as expenses are spread over time, as opposed to a spike in cash-out for which debt and amortisation is needed
- Better balance sheet health, since costs are recognised in the periods they occur and deliver value
- Favourable tax benefits, as opex can be fully deductible
- Increased control over (financial) risk, as there is no large upfront investment and subscriptions can (theoretically) be terminated at any time, offering flexibility.
About ARR
For the SaaS provider, the income dynamics change. As Okta put it [7]: “Revenue is derived from subscription fees and to a small extent from professional services fees. Subscriptions are generally one to five years in length and generally non-cancellable and non-refundable. Furthermore, if a customer reduces the contracted usage or service level, the customer has no right of refund. The subscription arrangements do not provide customers with the right to take possession of the software supporting the platform and, as a result, are accounted for as service arrangements. This revenue recognition policy is consistent for sales generated directly with customers and sales generated indirectly through channel partners.”
Even though not a GAAP recognised metric like EBITDA, the ARR (Annual Recurring Revenue) has become the norm for valuating SaaS companies. Rather than taking plain revenues or the EBITDA in the Comparable Companies Valuation, the SaaS industry uses ARR as the basis [9].
Subscriptions are typically made on a monthly basis. The associated MRR (Monthly Recurring Revenue) represents the total subscription revenues recognisable within a single month. ARR, however, isn’t simply the total subscription revenue for an entire year; instead, it’s calculated by taking the MRR from the last month in the period and multiplying it by 12.
This approach reflects the assumption that the MRR of the latest month serves as the foundation for the next 12 months, upon which growth is built. Growth doesn’t come solely from acquiring new customers—it also stems from upselling additional services to existing customers and increasing usage volumes by existing customers. Of course, churn can nibble at this foundation, which is why minimising churn is a critical focus for SaaS providers.
Auth0 Valuation
On May 3, 2021, Okta announced the successful completion of its acquisition of Auth0 for about $6.5bn in stock, nearly 1/6th of Okta’s $35bn market valuation.
As discussed earlier, the global CIAM market in 2020 was defined by three key vendors: Janrain, Gigya, and Auth0.
Janrain, founded in Portland in 2002, was acquired by Akamai in January 2019 through an all-cash transaction [11]. The sale price was estimated at $125m [12], with Janrain’s ARR (not publicly disclosed) estimated at $30m [15], representing an ARR multiple of 6x.
Gigya, founded in Tel Aviv in 2006, was acquired by SAP in 2017 for $350m [14]. At the time, Gigya’s estimated ARR (also not publicly disclosed) was $50m [15], yielding an ARR multiple of 7x.
By the time Okta was negotiating with Auth0, no other global pure-play vendor remained in the CIAM domain. Meanwhile, Auth0 was on track to generate over $200m in Annual Recurring Revenue (ARR) for the calendar year 2021.
Okta’s acquisition of Auth0 of $6.5bn and Auth0’s ARR of nearly $200m, thus represents a multiple of 32x in the Comparable Companies Valuation.
An ARR multiple of 32 was unseen in the market, certainly compared to SAP’s and Akamai’s acquisitions of Gigya and Janrain. Yet, TechCrunch analysed the deal as follows [4]:
“Presume that Auth0’s revenue growth is more than 40% in calendar 2022. At the end of that year it could reach $280m in ARR (see the ARR discussion above). At that scale, the price that Okta is paying for Auth0 today can easily be made to pencil out. Perhaps Okta paid more for the company than it might be worth today, but add in another few quarters of growth and the whole deal can be made to appear quite reasonable.
Finally, Okta is buying itself a faster growth rate. The company expects to grow 30% to 31% in the current quarter, and 29% to 30% in its current fiscal year (fiscal 2022, which is close to our calendar 2021). Auth0, in contrast, is growing at 50%, give or take.
So Okta is not merely purchasing a large block of revenue, but a chunk of top line that is growing more quickly than the rest of its business. And when we factor in, say, $150m of GAAP revenue for Auth0 this year, Okta reaches more than $1.2bn in total revenue instead of its current estimate of $1.08bn to $1.09bn. That’s material.”
Deal structure
As a growing tech company with subscription-based revenues, Okta was operating at a loss. While subscriptions allow customers to shift from capex to opex, they have the opposite effect on the SaaS provider’s cash flow. Providers must invest heavily in software development and operational infrastructure (capex) upfront, while subscription revenues are recognised more gradually.
At the time of Okta’s acquisition of Auth0 in May 2021, Okta reported an annual EBITDA of approximately $-59m for the fiscal year ending January 31, 2021. This negative EBITDA underscores that Okta was still operating at a loss during that period [7].
While Okta had gained significant insight into the market and the achievements of Auth0 prior to the acquisition, they opted for an all-stock deal. Okta’s share price had performed exceptionally well, reaching an all-time high of $292, making stock payments particularly advantageous. Additionally, Okta had strong confidence in Auth0’s management team and aimed to retain them, recognizing their expertise in addressing a unique buying persona: developers.
Following the acquisition, however, Okta’s stock price plummeted. Okta was and still is unprofitable, reporting a loss of $-376m in the most recent fiscal year even though revenues have grown year-over-year by 22%, reaching $2.26bn with a GPM of 74%.
The precise payment terms of the acquisition remain unknown, but Okta did everything to integrate Auth0. It suffered, however, from the different sales & marketing approach needed to address a developer community as opposed to IT managers and security officers.
References
[1] Wikipedia · Okta Inc. · November 15, 2024 · https://en.wikipedia.org/wiki/Okta,_Inc.
[2] Auth0-by-Okta Blog · Eugenio Pace · https://auth0.com/blog/authors/eugenio-pace/
[3] Fortune · Okta’s AuthO deal closes: Inside the 8-year, $6.5 billion courtship · Robert Hackett · May 3, 2021 · https://web.archive.org/web/20210504143735/https://fortune.com/2021/05/03/okta-auth0-deal-stock-login-acquisition
[4] TechCrunch · Making sense of the $6.5B Okta-Auth0 deal · Alex Wilhelm, Ron Miller · March 4, 2021 · https://techcrunch.com/2021/03/04/making-sense-of-the-6-5b-okta-auth0-deal/
[5] Crunchbase · Organization Oka · November 15, 2024 · https://www.crunchbase.com/organization/okta/company_financials
[6] Tracxn · Acquisitions by Okta · Last updated: October 4, 2024 · https://tracxn.com/d/acquisitions/acquisitions-by-okta/__dP1ZS8p5nyTcH8CpTecTYQQL8thmZJdd_D_Of9lWf9U
[7] Okta · Annual Reports · https://investor.okta.com/financial-information/annual-reports
[8] ComputerWorld · Okta acquires Stormpath to boost its identity services for developers · Blair Frank · March 6, 2017 · https://www.computerworld.com/article/1663782/okta-acquires-stormpath-to-boost-its-identity-services-for-developers.html
[9] DrivenInsights · ARR vs. EBITDA: Best SaaS Metrics for Valuation · July 9, 2024 · https://www.driveninsights.com/small-business-finance-blog/arr-vs-ebitda-which-is-the-best-saas-valuation-method
[10] Gartner · Magic Quadrant for Access Management · https://www.gartner.com/en/documents/3993219
[11] Akamai · Akamai Completes Acquisition of Customer Identity Access Management Company Janrain Inc. · January 23, 2019 · https://www.akamai.com/newsroom/press-release/akamai-completes-acquisition-of-customer-identity-access-management-company-janrain-inc
[12] Portland Business Journal · That sale price for Janrain? $125M · Maila Spencer · March 1, 2019 · https://www.bizjournals.com/portland/news/2019/03/01/that-sale-price-for-janrain-125.html
[13] PR Newswire · SAP to Acquire Gigya, Market Leader in Customer Identity and Access Management · September 24, 2017 · https://www.prnewswire.com/news-releases/sap-to-acquire-gigya-market-leader-in-customer-identity-and-access-management-300524708.html
[14] Wikipedia · Gigya · November 15, 2024 · https://en.wikipedia.org/wiki/Gigya
[15] Own informal sources
[16] Techcrunch · Okta Catches SpydrSafe In Its Enterprise Web · November 7, 2014 · https://techcrunch.com/2014/11/07/okta-spydrsafe/
[17] Techcrunch · Okta acquihires Stormpath, doubles down on identity in apps and APIs · March 6, 2017 · https://techcrunch.com/2017/03/06/okta-stormpath/
[18] Kfund · Okta acquires Arengu · December 13, 2019 · https://www.kfund.vc/post/okta-acquires-arengu
Controlled AI services 