Okta CEO on Building a Password-Free Future & Developing Standards for AI Security

Getting all of security from one vendor is dangerous. Clearly getting everything across infrastructure and collaboration and devices from one vendor like Microsoft is dangerous.

If you're still thinking about cybersecurity in terms of a firewall that surrounds and protects your organization, you are leaving yourself vulnerable. In a world of remote work teams, aging systems and AI agents protection is no longer about securing a perimeter with companies adopting cloud-based software and employees accessing data on their phones or laptops in multiple locations. The cybersecurity market is moving toward identity first protection, focusing on validating user identities to defend access to systems, not just protecting the systems themselves. Okta's latest products seek to position the company as the platform enterprise's trust to manage identity across their entire tech stacks, battling both human and AI cyber threats. In the latest quarter, Okta posted 12% revenue growth and $230 million in food cashflow. But despite the strong performance share price dropped a result of the market's disappointment that the company kept its full year guidance unchanged. Instead of moving it upwards citing economic uncertainty, we sit down with Okta, CEO and co-founder Todd McKinnon to talk about the quarter, what could boost his confidence in the macro outlook and what it means to protect every login in an AI powered world.

(01:15)
Let's get into it. Todd, thank you very much for joining. I want to dig into your earnings. To start with, you had a very strong performance, but I've got in front of me your earnings presentation and something in there caught my eye, which I haven't seen on very many occasions, and that's one slide where Okta lays out Okta is the superior choice versus Microsoft every time explicitly calling out your virtues relative to a named competitor is something I don't see super often. Tell me why this is in there and what it means for how you think about the competitive landscape.

Well, thank you so much for having me. It's great to have the conversation. We are the leading independent and neutral identity platform, and the reason we talk a lot about Microsoft is because they have a very different worldview and we have a different perspective than they, but it's really about the whole industry and how it evolves. And I think our view is that identity needs to be this independent and neutral layer that will lead to great security outcomes for customers. It'll make it really easy to log into things. It'll make it really easy for security teams to have visibilities. It'll really create this fabric across a company that everything plugs into seamlessly, and you get these great security, you decrease security risk and you increase usability. And the different worldview is people like Microsoft think that everything in technology should come from one company and they should sell you all the communication platform and the collaboration platform and the cloud computing infrastructure and the AI tools.

(02:54)
And it all should come from Microsoft. And our view is pretty simple in which is that if you get identity as part of another platform, it's not going to be good at securing and granting you access to different platforms. And in this world, companies need to be smart and have flexible technology and have the leverage to use different platforms. Think about all the innovation that's going on in ai. Do you want to be stuck into only the innovation in one model company or one tool company? No, you want choice. You want to use Google and you want to use Amazon. You want to use all the small innovative startups out there. And having an independent and neutral identity company and trusting that for your identity security fabric gives you that flexibility while also solving a huge security problem in the enterprise, which is identity security. So that's why we call out Microsoft to try to make it, because when I describe it like I just did, it's kind of abstract, but when you really say, Hey, your choice is between getting your identity with Microsoft and being locked in there, or your choices about flexibility, it makes it more clear for customers.

It's also really fascinating, Todd, because so much of the dialogue for some of these big enterprise software names people like Palo Alto Networks or people like Salesforce, platformization has sort of become buzzword du jour and you've laid out one piece that could stand alone. Talk to us about who you are actually selling into. And I look at your product suite, you talk about one set of products for developers, you've got another set of products for IT teams. How are you positioned with those two different customer sets?

Well, our company is getting large, almost coming up on 3 billion of a RR, and we have nearly 20,000 customers. So we're going to have a broad range of products and capabilities for different audiences, but it's all about what is the theme and what is the thing that ties them together. And if you flip it around and think from the customer perspective, they're not going to ever have one vendor for everything. They're going to have thousands and thousands of vendors, but they still want some of the benefits of scale and they want to simplify and consolidate certain areas. So it's all about what are the points of consolidation in their enterprise or in their company. And our pitch is essentially you should consolidate on identity. You should not consolidate on all of security. Getting all of security from one vendor is dangerous. Clearly getting everything across infrastructure and collaboration and devices from one vendor like Microsoft is dangerous.

(05:20)
And so that's kind of how we balance the two. We want to be the one-stop shop for identity for all these companies. And then in terms of who we sell to, it's it. It's CIO, it's the head of security, application security. It's people building applications. If you're a builder, you can use Okta's platforms and technologies to add identity securely into your application. So the thread between it all is identity, while the different buying constituencies can be different, everything from CTO, chief product officer to IT and security, then really we can address use cases in every area of the company. It's just all around that theme of identity and identity management.

And talk to us about how that's translating into your financial performance. Oxy did beat expectations this quarter, strong revenue growth at 12%, and you posted your first gap profit. It's not a perfect measure, but it is a milestone. Just break down for us the top drivers of the outperformance where you're seeing the strongest growth and expansion.

Well, it's a big market and it's growing quickly, and we're the leader. So we're the largest independent and neutral identity platform by far. And I think you have these forces in the world and in the economy that are powering that growth for many, many years. Okta's 16 years old and we were born out of the cloud transition. So applications like Salesforce and then Amazon Web Services, and everyone's very familiar with that story now. That was one wave. And then second major wave was the whole security wave. People have realized over the years that to secure your environment, you have to have strong identity security. Identity is security, identity is security. You can't do it with a firewall anymore. People aren't accessing things through your firewall. You can't do it just with endpoint. You have to do it with identity as a key pillar in that.

(07:04)
So that's a second huge wave. And then the most recent wave is all the energy around ai. We're seeing tremendous promise and success of fast growing applications and services we all know and love. And what companies are realizing is that if they want to build the AI future, if they want to have agents automating work, if they want to buy these platforms that are offering agents as part of their platform, that really, really puts a spotlight on the identity security inside their organizations, we can help secure the identities that these agents need to log into. We can help give the agents themselves an identity and manage how it delegates that identity to other agents or from users to agents. So this third megatrend for us is the AI revolution, this agen revolution, which is causing, I mean, the reality of this one is it's very early and most customers are in this mode of, they have prototypes, they've prototyped these types of agents, automated tasks usually around software development or customer service, and now they're getting ready to move them into production. And that means these agents needs access to real data, customer data, which is in databases and data warehouses and CRM systems. Then that's identity risk. And by selling this identity fabric and this vision about this neutral platform that can weave it all together, it's really resonating and that's power in the results.

Let's talk a little bit more about human activity. We'll come back to ai, but let's start with human intelligence and human motivations. Todd, when I think about how identity protection has evolved, it feels as though I'm constantly having to log into things multiple times. It's a manual process, still manual while your enterprise clients understand clearly the need for what you are offering when it comes to the actual human beings using your technology. Talk to us about end user adoption. Are end users getting fatigued by this constant verification process?

Well, I think there's good news and bad news on this. I think the good news is that the industry over the last three or four years made a lot, have come up with a lot of fundamental advancements that make it easier and better. There's something in the world that's new, it's called passkey, and it's basically passkey. You may have heard of 'em. The adoption is starting, especially around some of the big consumer internet sites and services like Google and Amazon, and it's really think about it as it's a different way to have a password that's more secure and harder to hack and easier to use. And this was a collaboration between operating systems, Google and Android and iOS and Windows and Mac and collaboration between browsers and people making infrastructure software. And this is benefiting Okta because we can provide the backend capabilities that if you are running a website and you want to support this new capability, we can make it super easy for a developer to support that by calling a simple API and you'll support PAs keys.

(10:08)
So this is very encouraging and it's particularly really, really the concrete end to end implementation of it across all apps and all devices is going to take a while on the consumer side and your personal life. But it's very real and very possible at work because in the work environment, IT and security control the whole environment on your personal life. You go to the websites you want, you download the apps you want, but in it there's more control. So it's solvable at work. So if your company has passwords still at work, you do not have to have them anymore. At Okta, internally, we have no passwords and it's all biometrics, it's all passkey based, it's all automated and secure. And that's where a lot of the progress on this end user simplicity is happening now. And I am very optimistic about that extending into the consumer

World

As past case get adopted more as people use technologies like ours to add 'em to their websites and mobile apps and there's some other exciting standards coming, eventually it'll take a bit longer. It's a little more complex on the consumer world, but I think the future is very bright there.

Well, let's talk about biometrics because if there's a level of intrusion that perhaps consumers may respond less positively to, it feels as though biometrics could be one of them, whether it's facial recognition, whether it's prints, whether it's retina scans. You just said you do use biometrics at Okta. What are you using and what's your employee response been to it?

Yeah, the biometrics is an important topic, and I think that there are ways from a computer science perspective to make them private and have the user have it be not a biological representation is stored. You can store a reference to the biological representation, et cetera, et cetera. But a lot of times it's really you have to do two things. You have to convince people that it's, it's not selling their data or it's not somehow abusing their data.

(12:13)
And the advantage we have with that is our business is identity. Our business is security. Our business is helping customers be more productive and they pay us for that, a recurrence subscription. We're not trying to use the information for something else. We're not trying to sell ads, we're not trying to monetize the data in a different way. So that business model alignment is really important in this discussion, but ultimately it comes down to people are going to make a choice. That is if the convenience and the ease of use is at the bar that they want and their concerns about privacy and the motivation of the people providing the technology is aligned with what they're trying to do, I think we can be successful. And that's what we're seeing.

Can we touch for a second, Todd? On Quantum? Here's the reason why I was lucky enough to interview the former deputy director of the NSA. The question I posed to him is what is the one technological advancement that keeps you up at night? Didn't miss a beat, didn't even blank. The answer was quantum. And it's quantum because quantum computing has the ability to break codes faster than we've ever seen before as quantum advances. What does that mean for Okta's business model?

Well, I think that it is very exciting technology quantum. And in terms of the implications on security keys and encryption, there is potentially a threat, some of these cryptographic algorithms and the length of the what's called the key, which determines how long it would take an attacker to guess all the keys and to come up with the answer. The quantum could theoretically if it's work, and we need to take a step back. And a lot of these implementations of quantum computers are very early, and it's not quite where we're ready to have a working real world computer with software and all the algorithms running on it. But assuming it did get there that these computers could break some of the algorithms out there. But the good news is that the keys and the size of these keys can be increased. So there's no theoretical maximum to how complex and long the keys could be. So theoretically, whatever advance in quantum computing, we could increase the key lengths and keep up with that. Now the challenge is that's a change management problem.

(14:30)
The thing about security and the thing about security issues are most often it's because the old stuff is still around. The systems aren't patched, the identities or the accounts, they're not comprehensively covered. They don't all have strong credentials. It's never the bleeding edge that gets broken. It's the laggards or the things that haven't upgraded and gone to the latest thing. So it really would be a change management problem. We'd have to get the new algorithms to a size and a length, and then we'd have to get them out there as quickly as possible. So watch the advancements and make sure that as an industry we're ready to increase the key lengths as this stuff potentially starts to become a reality. Now the other thing is there's a performance problem. So the reason why these encryption keys aren't super long is because it's slower. It takes longer time to set up the connection to send your secure email or send your secure WhatsApp message. But again, quantum could be the answer there because if these quantum computers can break the keys, they could address this performance problem and they could set up the encrypted channels faster and it would benefit the solution as much it would be the problem.

So in the conversation I had in that I was lucky to speak to the CEO of ti, there's timelines that I've been hearing are sort of five to 10 years until we see this rolled out. So as you look ahead as a CEO of Okta and you're looking forward to what could, what are you actively doing to position Okta to benefit from or to mitigate any risk caused by Quantum? Are you talking to quantum computing companies? Are you part of research collaborations? What are you actually doing to get in front of this?

Well, it's an important question, and I think the right answer is the whole security world, and particularly the identity security world. It's too complicated right now. It's not standardized enough. Everyone does it their own way. They have their own systems integrated, the systems a different way. And what we're really pushing for, whether it's because of Quantum or because of just the day-to-day threats people see today, is we're pushing for more standardization. We're pushing for people building applications and building technologies to build their tools and their technology to hook into identity security systems in a standard way. And what this will allow is as threats emerge and as the world changes, it's faster and easier and more flexible to change things. It's easier to change encryption algorithms. It's easier to introduce new defenses for emerging threats. And by the way, I'm describing an open and accessible world that works well together. It's very different than some of the other companies in our industry, which are espousing more of a closed world that's proprietary and locked in and may not be as resistant to change. So I think Quantum is an interesting threat, and we can talk and think about that, but I think the solution, this standardization in this better integration between identity systems and security systems has a broad applicability in the short term, some of the more pressing threats today and the longterm.

On that note, talk to us about what you were doing with respect to AI and Gentech security. Todd, I know that's been a big focus for you, but that feels like that sort of interim step to help accelerate standardization, to help accelerate adoption. Tell us what's going on there in terms of your product development.

Well, agents are very exciting, very real. And they're going everywhere in terms of the mindset and what people are talking about and terms of packaged applications and are adding agents. And there's different companies and different frameworks to build agents, and companies are trying to build agents internally. They're trying to build agents into their products. They're everywhere. They're fast and they all need access to data and they have to have access to that data in a secure way. And Okta is the answer. And this is really, in some ways, it's really enhancing and heightening a problem we've known we've had as an industry for a long time. And that is that software accesses systems, the developers of the software, often they take shortcuts and store the token that gives you access to the software in their source code or they put it in Slack or they put it in a config file because they're moving fast and trying to innovate.

(18:49)
And this problem of these service accounts and these tokens stored in insecure ways is a problem we've had for a long time. And this Agent Revolution is really magnifying it and really enhancing it. And now all these agents need access to all these systems and all these service accounts. And as companies move from prototypes of these agents to production, we're setting up for something pretty bad from a security outcome perspective. And we're working hard to build our products and deploy our products to do what they do, which is manage this environment and secure this environment of identities across all of these use cases, pre agent use cases and all the new agentic future as well.

Todd, final question on your earnings and then we'll switch gears to rapid fire. You had strong earnings, but the street didn't respond. Perhaps as hoped, your share price did come down. And the consensus seems to be it's because rather than revising your guidance upwards, given the strength of your recent performance, you actually invoked macro uncertainty. What are the specific metrics and signs of more concrete macro confidence that you would need to see before you revisit the guidance you've provided?

Well, the long-term for Okta, it's amazing and it's very bullish, and we have all these opportunities to accelerate growth and to build this really important independent, neutral defining company in our category and across the entire industry. Now, if you look at the world, there's a lot of uncertainty right now in terms of tariffs and what that's going to do to the economy. And customers have these conversations and they're concerned about, nothing's really shown up concretely yet, but they're concerned about what this could do to their business, and they read the news and there's a little bit of uncertainty. So we're very conservative with our guidance. We are prudent, and in the short term, we're talking about a quarter or a couple quarters. We want to make sure investors have a very, very realistic expectation of what we could do. And then of course, we're working hard to try to meet that or overachieve that. And that's the pattern we've shown over and over and over again. So I think that's all that is. We're talking about some near term conservatism given what's going on in the world in terms of conversations about uncertainty, but it doesn't really speak to even the medium or long-term opportunities for our business. This is we're positioned, the world needs this defining company and identity. It needs to be neutral, it needs to be serve, all these key important needs, and we're excited to build that.

But just to push on this point, because the near term does matter, and I think the street is looking to leaders like Utah to provide signs of confidence or caution.

Absolutely.

What would you need to see change? Would you need to see tariff policy locked down? Would you need to see difference in consumer sentiment numbers? I get it, but would what tangibly would move your sentiment?

Yeah, it is a very short term answer. I would say we're going to look at the business and the quarter we're in now is off to a good start and we're going to execute well. And if we given all the conversations out there about this uncertainty as we expect to do, meet or exceed our guidance in Q2, then we'd be much more confident about the impact this is all having on the actual business. But yeah, so it's performance talk is cheap, right? It's like put up the numbers and that moves. That moves everyone's confidence forward.

The proof is in the pudding. We're going to wrap with two rapid fire questions for you, Todd. The first one is, which company do you most admire? And Okta cannot be an answer. That's a cheat answer.

I'm obsessed with Cursor Cursor ai.

(22:30)
I'm a developer, my first job in my career as a developer, and it's very interesting. They've really kind of a boring category. It's like software development editor, and they really, from the ground up, they've reimagined it as what would you do if you built a software editor with AI built in? And in terms of developers, it's amazing and it's powerful. And the other cool thing about it is I think it's very pragmatic. It doesn't have this idea that we're going to have this magic AI genie write all the software just by telling it what I want. It's more like, Hey, you're a developer. You're very good at what you do. How can we really make the productivity of that developer magnified without maybe, I think having this unrealistic expectation that the AI is just going to create the software, just because I mentioned a few words about it.

And second last question for you as a user, what is your favorite Okta product feature?

Not even, I wouldn't even give you a long answer to this one. It's Okta FastPass. I don't want to pass Okta. I touched my keyboard and I'm in. Never entered a password, ever.

There you go. Fast pass fast answers to a rapid fire question. Todd McKinnon, CEO, and co-founder of Okta, thank you for joining Comeback. Lots going on. That's really exciting. I'm Anne Berry. Thanks for tuning in to After earnings, the show that brings you up close and personal with the executives behind the world's most interesting publicly traded companies. If you learn something today, don't forget to like, subscribe, and share with your friends. Upcoming episodes will feature CEOs and CFOs from Carver, Intuit Block, and many more. Come back and we'll see you soon.