Vivian Voss

Read on LinkedIn

Auth0 — The Identity Tax

security architecture saas

The Invoice ■ Episode 18

"Authentication is hard. Don't roll your own. Use Auth0."

Splendid. Let us examine what one is actually paying for.

Auth0 was founded in 2013 by Eugenio Pace and Matias Woloski. Five months later, Okta's CEO Todd McKinnon made his first acquisition offer. It took eight years of courtship. In May 2021, Okta closed the deal at $6.5 billion in stock, for a company doing roughly $200 million in annual revenue. The arithmetic, as one might politely observe, suggests the customer would eventually pay for the difference. The customer, as it turned out, was rather good about it.

The Pricing Invoice

The Auth0 pricing page reads like a staircase, and the staircase tilts. Free up to 7,500 monthly active users. Then Essentials at $35 per month for 500 MAUs. Then Professional at $240 per month for 1,000 MAUs. Then Enterprise, a custom contract typically starting at $30,000 per year, becomes mandatory once one exceeds 20,000 MAUs on the Professional tier. One may applaud the tiered design, or one may notice that the gradient steepens precisely at the point where leaving becomes expensive.

In late 2023, the per-MAU price on B2C Essentials rose by 300 per cent in a single announcement. The free tier was generously expanded at the same time, presumably to soften the blow. The relationship between "expanded free tier" and "growth penalty at the boundary" is, by any measure, a rather elegant study in price discrimination. One pays nothing to get started. One pays rather a lot once one matters.

The Growth Penalty Free $0 up to 7,500 MAUs Essentials $35/mo 500 MAUs (+300% in 2023) Professional $240/mo 1,000 MAUs Enterprise ~$30k/yr mandatory > 20k MAUs The staircase tilts at the point where leaving becomes expensive. Okta paid $6.5B for $200M of revenue. Someone had to pay for the arithmetic.

The Breach Invoice

January 2022. Lapsus$ compromises a support engineer's laptop at Sitel, an Okta sub-processor. The disclosure triggers an 11 per cent stock drop. Six billion dollars of market capitalisation, gone in a single trading session. The securities class action was eventually settled in July 2024 for $60 million. The incident is now a textbook case in how supply-chain access through a sub-processor can compromise an identity provider. One does admire the geometry: the attacker chose the laptop nobody was watching.

October 2023. An Okta employee signs into a personal Google profile on their work laptop and saves service account credentials there. Attackers reach the personal account. They access HAR files in the support case management system. The HAR files, submitted by customers for debugging purposes, contain live session tokens. One does wonder what those customers thought they were sending.

The attackers harvest the tokens, hijack five customer environments. 1Password, Cloudflare, and BeyondTrust each detect suspicious administrator login attempts and notify Okta. Not the other way round. The initial public disclosure said 134 customers were affected.

By November 2023, the number had risen. By March 2025, the scope had been quietly expanded: the threat actor had downloaded reports containing the full names and email addresses of every Okta customer, across both Workforce Identity and Customer Identity. "All of them" replaced "less than one per cent". One does wonder how the recalibration was decided, and over what length of meeting.

The Single Point of Failure Invoice

When Okta has a bad day, every Okta customer has a bad day. The 2023 incident ran roughly two weeks between initial compromise on 28 September and detection on 13 October, with public disclosure following on 19 October. During that window, every dependent application's authentication boundary belonged, technically speaking, to the attacker.

The Architecture Is the Cost Attacker one laptop Identity Provider Okta / Auth0 1Password Cloudflare BeyondTrust Customer 4 Customer 5 Centralising identity at a third party centralises risk at the same third party.

Centralising identity at a third party centralises risk at the same third party. This is not a bug in the deployment. It is the architecture. The architecture is the cost.

The Lock-In Invoice

Auth0 Rules and Actions are custom JavaScript hooks. SAML and OIDC are standards; the rest of the integration is not. Migration off Auth0 means, in rough order of tears shed:

  • Re-implementing every Rule and Action against whichever identity layer one chooses next
  • Re-issuing tokens for every active user, which is to say forcing everyone to log in again
  • Convincing one's customers that yes, the forced re-authentication is intentional and not, in fact, a phishing attack
  • Backporting the custom claims one's applications have quietly come to depend on

This is not insurmountable. It is, however, the cost of having outsourced something that the database could have done. One pays the bill in engineering hours, user trust, and meetings titled "Re-authentication Rollout Communication Plan". One does recover eventually. Rarely in the same quarter.

The Alternative

Several mature self-hosted options exist, and one notes with some relief that none of them have an acquisition pending:

  • Keycloak (Red Hat) — full IAM, Java, battle-tested across enterprise deployments for a decade
  • Ory Kratos (Go) — headless, REST APIs, no UI shipped, which is either a feature or a project in itself depending on one's taste
  • Authentik — a cleaner interface than Keycloak, supports OIDC, SAML, and OAuth2
  • FusionAuth — single binary, generous free tier, designed by developers who remember what developers actually need
  • Authelia — lightweight forward auth for reverse proxies, the right tool when the proxy is already doing the work
  • Lucia — a Node library for application-level auth, minimal and unopinionated

And then there is the unfashionable option: a users table with argon2 password hashes, a session token stored in a server-side store such as Redis or Postgres, and one route handler per flow: login, register, recover, MFA setup. This pattern has been production-grade since approximately 1995. It remains so. One notes that in thirty years it has neither been acquired by private equity nor had its session tokens exfiltrated via HAR files. The archive of its breaches is notably short.

The Pattern

The identity tax operates on three consecutive invoices.

The Three Invoices 1. Validate Pay a third party to verify users you already had. 2. Absorb Pay again when the third party is breached. 3. Migrate Pay once more when the pricing model changes. The verification was always something the database could do. The password hash was always there. One simply decided it wasn't fancy enough.

One pays a third party to validate one's own users. Then one pays more when the third party is breached. Then one pays again to migrate when the pricing model changes. The verification was always something the database could do. Argon2 is a four-line dependency. A session token is a UUID. A login form is one POST handler. The complexity that justified outsourcing was, in many cases, complexity that did not exist.

The password hash was always there. One simply decided it wasn't fancy enough.

$6.5B for $200M of revenue. 300% per-MAU hike in one announcement. 2022: $6B market cap erased, $60M class action. 2023: HAR files in support tickets contained session tokens; five customer environments hijacked. By March 2025: every Okta customer's name and email exfiltrated. Rules and Actions lock you in. The boring option has been production-grade since 1995.