Okta Teardown 2020
In this teardown I will go over:
- What Okta does, its many products, and how it goes about acquiring users
- Why I think it's positioned to keep growing & dominating its market
- An overview of its competitors, both public & private
- Its Q3 Financials, and where I think the stock will go at the end of 2024
Okta is a company focused on Identity Access Management (IAM), which is software for knowing who all the users are, controlling what they have access to, and having an audit of everything these users are accessing. Identity is under the cybersecurity umbrella, making sure everyone has the correct access & protecting companies from bad actors. Identity can be divided into two focuses: Workforce Identity to manage identity for a company's employees, and Customer Identity, to manage identity for a company's customers.
Modern companies use multiple software tools to keep their employees productive (Slack, Zoom, Salesforce, ect). Some companies need to provision 10+ different pieces of software every time an employee joins. At the end of employment, they would also need to revoke the 10+ accounts, creating a large surface area for a company to secure.
Okta reduces this complexity with its Workforce Identity Solution. Its workforce identity product gives customers Single Sign-On (SSO) so employees only login once with a single account to have access to all the available software they should have access to. Now employees only have to worry about one account instead of memorizing 10 passwords.
The company gets a centralized single pane of glass, or the Universal Directory, to provision, control access, audit usage, and manage the employee lifecycle. They can group employees, and set password policies to these groups to prevent insecure practices like making your password "password". They can also manage devices through their Universal Directory as well.
Okta also offers visual programming to create workflows, known as workforce lifecycle management. This is a no-code drag & drop interface that allows companies to perform a set of actions when a user is added or removed from Okta. Companies can create workflows like provisioning file access to Box folders based on role, or sending out emails to HR for deactivated accounts. Having workflows between Okta and other business software makes it incredibly sticky to their onboarding & security practices.
Okta Integration Network
Okta Integration Network (OIN) is a network of 6,500+ pre-integrated applications to their platform. Having these integrations makes it very easy to deploy additional software to every employee at a company, and having so many gives it a leg up on its competitors. It also gives Okta a moat:
- Companies choose Okta because it has the most integrations, making it the easiest identity platform to integrate with all the software it already uses or wants to add.
- B2B Software needs to integrate with Okta because a large part of their target customer base is on it. They then create their integration to the OIN, further strengthening the Okta network value add to companies.
Securing Identity: MFA + ThreatInsight
Multi-Factor Authentication (MFA) is the process that adds additional steps when signing in. A "factor" is something used to insure you are the correct person attempting to log into an account. A common example of a factor is additional login codes you get via SMS. This adds additional security incase a password gets compromised by a hackers. While SMS is just a basic example of a factor, factors can get more complex to assure they right person is attempting to sign in.
Okta offers an Adaptive MFA, meaning that Okta can increase or decrease the security of a sign in based off various pieces of information it gets about a sign in attempt. Companies can create policies utilizing information like:
- If a sign in comes from a new location or far location
- If it's a new device or of it's a company managed device
- If it's from a new IP addresses, requests from an anonymous proxy, etc
They also provide a service called ThreatInsight that leverages the massive data from their integration network combined with machine learning to protect companies from suspicious login attempts. As more companies use ThreatInsight, Okta can better protect all their companies on their network, adding more to its moat.
API Access Management
API's are a growing way to consume and share data between services and companies. Securing API's can be different from securing web applications based off architecture (see SAML vs OAuth 2.0), so it's offered as a separate module. API Access Management via Okta can save the company development time and lower the risk of a security breach.
Advanced Server Access
With the adoption of cloud, especially the rise of hybrid & multi-cloud, companies now have to manage access to many more servers than they ever did before. This increases the complexity of controlling and securing who has access to each server.
Traditionally companies gave "access keys" to employees, which are pieces of information an employee can use to log in to the remote servers. Companies have to manage these keys by revoking them when employees leave. They also periodically rotate keys, which means everyone gets new keys while the old ones are invalidated. As more servers are involved, the likelihood of a mismanaged/forgotten key increases, which can lead to breaches. What makes matters worse is that keys are easily & often shared, so it's often difficult to find and identify.
Okta's Advanced Server Access solves this problem by generating singe-use keys tied to a users identity for access. Companies no longer need to revoke and manage these keys since they are single use, and the audit trail is much stronger since each use is associated with an identity. This practice of single-use keys can drastically reduce the risk of a security breach, and should be a standard practice for any company storing sensitive data.
Customer Identity Management
Okta builds software for companies to allow their customers (rather than their employees) to authenticate into their apps. They can leverage their work from Workplace Identity and to provide an improved experience over building out their own customer identity management. Workplace Identity features that are also available in the Customer Identity Management platform:
- Companies can manage user account lifecycles (accounts created, pending activation, needs password reset, etc)
- They can create workflows around user registration & lifecycle management. For example, companies can automatically enter new customers into their CRM and sync their profiles across the many applications they use.
- Customers can benefit from the their network data in ThreatInsights to identify & block specific IP addresses from hacking into customer accounts.
- Customers can use Adaptive MFA to further secure the customer accounts
Go To Market
While Okta does allow anyone to sign up and acquire customers via bottoms-up adoption, most of its revenue is driven by top down sales: 80% of their ACV is from customers with > 100k ACV.
It is somewhat expensive to acquire a customer in the identity space, but Okta does it the best with a 2 year payback. While acquisition is expensive, they are sticky and the long-term unit economics are good. They can often expand their revenue with the customer by upselling one of their many additional products to help their customer better protect their identities or build. They can also increase pricing as the customers grow since their products are priced per user.
Okta offers their many different products and features as individual modules and are priced per seat. The modules really allow companies to try Okta for SSO, and when companies need a product like Advanced Server Access, they can easily upgrade their offering. The per user pricing is great because it means Okta can grow its revenue as a customer scales up in size. Since identity is ubiquitous, the seats can expand to the entire company rather than stay in very specifics orgs within a company.
There are quite a few competitors in the public & private landscape. While I think Okta is and will continue to be the leader in workforce identity, these software markets are much bigger than people anticipate, and multiple players can be successful and get a meaningful piece of the pie. I want to quickly go through these competitors to get a sense of where Okta's competitors are in the market.
Ping Identity is a public company that also provides workforce & identity solutions, but with less integrations (1,500) and don't have a comparable feature with Advance Server Access. They have negative overall revenue growth & are at a smaller revenue scale.
They offer ways to manage users access & permissions within applications, but don't seem to provide SSO and other powerful features around it to make a complete workforce identity product. They are less than half the size of Okta and growing at a slower rate of 24%. They have to integrate with Okta to cover the missing features in workplace identity. Their CAC payback period is also high at > 3 years, vs Okta's 2 year payback.
Cyberark's core business is cybersecurity to protect proprietary/confidential data, but in 2019 it acquired an identity company Idaptive to compete in the workplace identity space. The company had negative topline revenue growth, but 40% ARR growth as the company transitions from licenses to the subscriptions. However, Cyberark's revenue is less than half the revenue scale of Okta. Okta seems more well positioned for the future as they are a cloud first company.
Microsoft Active Directory
Microsoft's Active Directory is their IAM product on Azure. Azure is a fast growing cloud platform and their ability to bundle an identity product with it makes it one to watch, since many businesses are already using other parts of their cloud offerings. While it one of the biggest competitors on management's radar, Active Directory is tied with Azure, so it's less attractive to customers not already on Azure (AWS, GCP), and less attractive to those that want to use multi-cloud.
OneLogin is still private & delivers similar services around workplace identity management as Okta, but seems earlier on the auxiliary offerings such customer identity management. G2 Crowd reviews rate it a 4.3/5, which a smidge lower than Okta's 4.5/5. OneLogin was between 50-100m of revenue in Jan 2019, growing 50% (source). Okta was growing at the same rate around that time, but at 4-8x the revenue scale.
ForgeRock is another player in the private market that has a similar feature set to Okta providing both consumer and workplace identity. It is growing at 75% at above 100m in ARR, with large customers like Toyota & Geico. While it is growing quicker, it looks like it's roughly 4-8x smaller.
Auth0 is the competitor I'm the most interesting in. Articles from 2020 & 2019 suggest the 2019 and 2018 growth were 70% & 100% respectively. I couldn't find any definitive revenue scale for the company.
While Okta focuses more on the workforce identity use case, Auth0 focuses more on the customer identity use case. Their GTM in the identity space is primarily through having a great SDK to develop identity for the cloud applications. This is what really separates them apart from the other competitors, as they target a different profile for customer acquisition. Auth0 seems to have an appeal in technology first companies (Atlassian, AMD, Arduino) and have an edge on bottoms up adoption for customer identity tools. This wedge into enterprises can allow Auth0 to upsell its other products.
The founder has the perfect background for this company: he was an engineer on Microsoft Azure that felt that the one of the biggest moving applications to the cloud was implementing identity.
While I think Okta will maintain a dominant position in workplace identity, Auth0 is a company to watch out for while it competes in the customer identity space.
Why is OKTA positioned to continue winning?
- They are the largest independent identity provider. Independence is important because companies don't want to tie their identity to a single cloud provider, especially if companies want to be muli-cloud (having services across multiple cloud providers).
- They are significantly larger than all the public & private competitors we have insight into, and they are the golden standard for an identity platform. Being the largest gives it the most of the mindshare, which is an important part of the decision making process of adopting software. Anytime they release a new feature, many others have to follow to remain competitive.
- Okta has the largest integration networks & ThreatIntelligence, and both create moats with powerful flywheels. Companies choose Okta because it can provide best-in-class authentication and ease of integration with tons of software. Every B2B SaaS company is incentivized to integrate with Okta since so many customers are on it, increasing the strength of their integration network and ThreatIntelligence.
- Identity & Security are often areas where companies want the best in class solutions, so it doesn't seem like an area where competitors can win a significant part of the market by simply underpricing.
- Being the source of identity for an organization allows Okta to develop additional interesting products to sell to their customers. While historically Okta wasn't known as a company to develop amazing new products I think that is changing. The development of Advanced Server Access & Identity Workflows shows what kind of products Okta can do with it's position in the stack.
- We are early in the S-curve for cloud adoption around the world, and companies will need identity providers as they move into the cloud. Gartner in November 2020 estimates that we are roughly at a 10% adoption today and rapidly accelerating to 50% in 2024. Okta is in the best position to ride this massive adoption. Okta is also spending efforts opening up more international offices in order to acquire & service more customers abroad.
- Another accelerating trend that is early in the S-curve is zero-trust security. The identity source/provider is a key part to zero-trust since we need to know who is attempting to access what. Okta made some key partnerships with other companies in the zero-trust stack like Crowdstrike & Proofpoint.
Revenue & RPO
Top-line & subscription revenue growth are 42% & 43% respectively at around 826M of ARR for Okta. In the last quarter Okta added 64M of recurring revenue, and have been consistently adding ~60M every quarter the entire year.
It's growing faster than all its direct competitors in the public market while a few private market competitors were growing a bit faster. Both of the private & public market competitors are at a much smaller scale, meaning that the absolute growth was much larger than all its competitors.
Another thing to call out from their earnings call is that their enterprise customer growth remains strong. Their customer segment with > 500k ACVs grew by 50%. They also estimate that their revenue will grow at a 35% CAGR through 2024, which is incredibly impressive since it means their growth rate will be incredibly persistent.
Another key revenue metric is Remaining Performance Obligation or RPO. RPO is contracted subscription revenue they can't recognize since the service hasn't been delivered. Example, if a company pays for a 2-year deal upfront, and they are 6 months into the deal, Okta can only recognize a quarter of the money as revenue. Okta has a staggering 1.6 billion in RPO, which was a 53% increase year over year. RPO can be broken out to RPO that will be recognized in the next 12 months, which is 750M, up 46% year over year.
Pointing out RPO is important when understanding Okta because revenue can be trailing where the growth of the company really is.
Gross margins this quarter was 74%, which was consistent with the previous quarters. As the business sells more and more software on top of its platform I can see it trending closer to 80% in the coming years. The only thing I can see that might bring it down in the future is if it offers more free tier services to improve its customer acquisition into new products, which should drive revenue growth in the longer term.
Net Dollar Retention
Net Dollar Retention reaccelerated to 123%, improving from a sub-120% in several quarters in 2019. This boost in NDR is probably from their efforts to introduce many new products to their platform. One of the most common concerns I've heard about from Okta is their new product release speed compared to the best technology companies. After listening to their earnings call and observing the company release new products, I've become confident that they are fighting this image, and their success is showing up in their NDR.
24 months is often the benchmark for efficient enterprise sales and Okta has consistently floated around that benchmark. Their public competitors like Ping Identity & Sailpoint both have much larger paybacks on their sales and marketing spend.
Free Cash Flow %
They had their highest Free Cash Flow margin since IPO at 19%, and spent the last 4 quarters cash flow positive. It's always great to see companies break into profitability, especially while growing a high rate.
Valuation + Model
Okta is currently trading at 34x EV/NTM Revenue at the time of writing and historically has traded close to or above the rate for high growth SaaS even though it's always been on the growth rate side of high growth SaaS. The reason for this is that market leaders always have a leg up capturing new customers when a market grows. Their growth also reflects the massive amount of RPO growth, waiting to be recognized as revenue in the coming quarters. Cloud acceleration and recent large security breaches have bumped up cybersecurity valuations as well.
I did a simple model of where I think Okta will be at the end of the year in 2024 (FY 2025 for the financial analysts) assuming:
- Okta grows at a ~35% CAGR until EOY as estimated by their team. Companies usually undersell their revenue outlook meaning that this is a conservative estimate, so I'll by using the top of that range.
- They estimate a 25% FCF Margin but by looking at the way they've been releasing new products and the tremendous improvement of their margins over the last few years I'm going to assume FCF will be closer to 30%.
- I assume a 4-5% stock dilution year over year, which is more conservative than several rules of thumb I've observed from other modes.
- I am using a terminal run rate multiple of 25-30x. With a 35% CAGR from the companies own projections, I estimate that the company will be growing at 31% at the end of this time frame. Using this revenue growth plus a 25-30% FCF margin, I think the EV / Run Rate will be in the 25x-30x looking at comps today. The range could be higher, because if Okta executes as stated, it should be a market dominant company which would fetch a higher multiple. The biggest risk to this assumption is if Okta underperforms (market dominance slips or S-curve adoption doesn't materialize) or software multiples are lower in the long term horizon.
- The model estimates the 4 year CAGR of 12-15% from the price of $275 at the time of writing.
Okta is in a dominant position to own a large marketshare for identity. This is an exciting place to be as we early in the S-curve for adopting identity in the cloud. Their platform provides a best-in-class solution for customers and has moats that can keep it the best-in-class solution. While the valuation is high relative to its current growth, it seems justifiable given the position, market, and RPO. We can a meaningful price appreciation even at todays valuation if we look far enough into the future, and I'm always interested in investing in dominant companies in a hyper-growth market.
Views expressed are ours and ours alone and don't represent that of our previous or current employers. Public Comps provides financial and industry information regarding public software companies as part of our weekly dashboard, our blog, and emails. Such information is for general informational purposes only and should not be construed as investment advice or other professional advice.
Full disclosure: I own CRWD, TWLO, SHOP, AMZN, FB,, MSFT, DDOG, ESTC, FSLY, TEAM, OKTA.