Auth0 is a powerful authentication and authorization platform that makes securing users, AI agents, and enterprise applications effortless. With built-in scalability, fine-grained access control, and 30+ SDKs, Auth0 helps developers integrate identity in minutes—so they can focus on innovation, not infrastructure.
In this episode, we discuss identity automation and AI with Bhawna Singh, CTO at Okta, and Gareth Davies, Chief Product Officer at Auth0. The conversation delves into how organizations manage service accounts, bots, and API tokens in the age of generative AI. The guests highlight the importance of secure, scalable identity solutions that empower developers to create seamless user experiences. We also discuss the evolving protocols and standards in AI, emphasizing the need for industry collaboration to ensure security and trust. The episode concludes with insights into the future of AI and identity management, focusing on the challenges and opportunities in building secure digital experiences.
Watch the podcast here:
Listen to audio only here:
Learn more about Okta/Auth0!.
Interested in appearing on the SourceForge Podcast? Contact us here.
Show Notes
Takeaways
- Trust is the foundational aspect of why adoption is not moving at the same rate as AI evolution.
- Organizations must move away from hard coded API keys and access tokens.
- Building secure, agentic systems is essential for accessing third-party resources.
- The vision for AI agents transforming businesses is expansive and complex.
- There are foundational security and identity questions that need addressing.
- Architectural implications of AI integration are fascinating and multifaceted.
- AI adoption requires a shift in how organizations think about security.
- The pace of AI evolution is outstripping the rate of adoption due to trust issues.
- Understanding the scale of AI’s impact is crucial for businesses.
- Organizations need to prepare for the future of AI with robust security measures.
Chapters
00:00 – Introduction to the Podcast and Today’s Identity & AI Discussion
02:36 – What Is Auth0? Overview of Its Identity and Access Capabilities
05:10 – Why Developers Choose Auth0: Flexibility, Extensibility, Ease of Use
06:22 – Core Features: Authentication, Authorization, FGA, and Developer Tools
10:47 – AI Agents & Identity: Challenges of Autonomy and Access Control
12:13 – Key Protocols: MCP, Agent-to-Agent, and Cross-App Access
15:52 – AI-Driven Commerce: Verifiable Credentials and Async Authorization
18:58 – Building Trust: The Need for Industry Standards in AI Identity
21:55 – Foundations of Long-Term Identity Security in an AI Future
23:16 – Managing AI Agents: Governance, Lifecycle, and Auditability
27:26 – How Teams Adopt Auth0: Learning Curve and Developer Experience
31:27 – Real-World Results: Conversion Gains, Security Wins, Fraud Reduction
36:35 – Customer Insights: Unexpected Lessons from AI Deployments
41:55 – Responsibility & Identity: Who’s Accountable for AI Agent Actions?
45:49 – The Future: AI Scaling, Traffic Patterns, and Infrastructure Evolution
51:08 – Closing Thoughts and Final Takeaways from Okta & Auth0
Transcript
Beau Hamilton (00:01.041)
Hello everyone. And welcome to the SourceForge Podcast. I’m your host, Beau Hamilton, senior editor and multimedia producer here at SourceForge, the world’s most visited software comparison site where B2B software buyers compare and find business software solutions. In today’s episode, we’ll get into the heart of identity automation and AI with two industry professionals from Okta and Auth0. The question we’ll really be zeroing in on is how do organizations manage service accounts, bots, and API tokens in this age of generative AI?
I mean, there’s so much change happening right now. It’s far from incremental. just, we’re seeing bots updated with agented workflows that can access credentials and have their own autonomy. Service accounts are interacting with AI systems and APIs and are no longer relegated to backend infrastructure. And then you have API tokens, the digital keys of, for software, for pieces of software, they need to be watched and managed more closely than ever.
Needless to say, there’s a lot of components that need to keep, you know, can have tabs on and manage a lot of complexity associated with this AI boom we are in. And I think it’s becoming one of the biggest challenges of modern enterprise, I would say. So we have a lot to talk about and two great guests with tons of expertise on this topic. We have Bhawna Singh, Chief Technology Officer at Okta. Bhawna lead the tech strategy and the vision behind identity and access management at scale. Very impressive. And then we have Gareth Davies, Chief Product Officer at Auth0, part of Okta. Gareth leads global product strategy and innovation across the entire Auth0 platform.
So, Bhawna, Gareth, thank you both for joining me. I’m really excited to have you here.
Bhawna Singh (02:11.604)
It’s a pleasure to be here Beau.
Gareth Davies (02:12.107)
Good to be here Beau.
Beau Hamilton (02:13.317)
So I want to start by sort of laying the foundation before we get into how your teams at Auth0 and Okta are thinking about identity in this crazy world we live in. For those who might not be familiar, how would you describe Auth0 and the role it plays in identity and access management? And Vana, maybe you can tackle this question, but Gareth, feel free to jump in as well.
Bhawna Singh (02:36.172)
Yeah, let me kick it off and Gareth yeas, of course, please join in. At a high level, would say Auth0 is an enterprise-grade, highly trusted platform that is out-of-the-box identity solution. It helps solve your authentication and authorization needs. And the key part of our platform is, of course, it enables developers. So that’s our focus, developers across consumer, B2B, or internal applications to handle login, sign up, or user management, and all of those identity-related needs or use cases. And as we have built Auth0 product, we have kept two key themes on our mind, one in terms of building as part of the product principles, which is flexibility, which is, in other words, we say, we see Auth0 to solve for most of your needs out of the box around identity. But we’re also mindful that we need to provide a platform that can be extended or customized to also serve unique use cases that some of our customers might have. So that’s the key theme.
And the other key theme that we drive in our product development is easy to use. So while identity we see is a complex space, we don’t see why it should be complex for our customers to bring in and develop on top if need be. So we want to make sure that our solution is user friendly or in our case, developer friendly, enabling companies of all sizes to develop complex, customizable, out of the box identity solutions to meet their specific need. But at the foundational level, what sits is trust for us, which is ensuring our platform is highly secure, highly available, and of course, fully compliant.
So with Auth0, you don’t have to reinvent the wheel. You can build secure authentication and authorization right into your application. So your teams can focus on building great experiences and less on managing and running and building identity solutions. So that’s a key part of what we are building and what the platform and the product stands for.
Beau Hamilton (04:48.347)
Gotcha. Thanks for explaining that. Yeah. So that really condensed overview is, is you take all that complex security sense of sensitive part of the software, which is the identity part of the equation, and you simplify it to mix. So it can mix with APIs, SDKs and various integrations, which you then give to developers so they can plug it into their apps. And so they don’t have to reinvent the wheel, as you said.
Gareth Davies (05:12.992)
That’s right. You just as a developer, you don’t want to have a PhD in identity. There’s a lot of complexity whilst you’ve got standard protocols that are the foundation, the bedrock for identity. We really want to empower developers to have rapid time to value and ultimately free them up to focus on building world-class products and experiences, whether that’s B2B or B2C, and not have to worry about the underlying foundations and protocols of identity.
But to Bhawna’s point, that extensibility piece is key because, no two organizations have the same flows, even though there are foundational best practices around how you think about authenticating users and kind of driving them through their journey in secure ways. Rarely do you see two organizations implement the same patterns. And so being so developer focused, it’s all about providing the tooling and the SDKs and the capabilities for devs to build an experience that is relevant for their business, but also drives delight for the end user in a secure way. And that’s the delicate dance is much more than just the login box. And that’s why we’ve, I think, had a of love from the developer community as a result.
Beau Hamilton (06:22.085)
Yeah, it’s really, it’s much more than just a log in box. I want to get to some of those, features. And Gareth, you being the product guy over at Auth0, what, what would you say are some of the core capabilities or the qualities that users tend to gravitate towards when they, when they first start exploring the platform?
Gareth Davies (06:37.512)
Yeah, of course. So you’ve obviously got the foundations of just authentication, right? I think, know, historically that would have been kind of a classic login. We’ve moved to more of an advanced customized login so customers can bring their own design systems and really create a pixel perfect branded experience for the user. We’re seeing that evolve even further into much more kind of native API first embedded experiences, but developers really don’t want any redirect. Imagine you’re a banking app.
You don’t have to redirect the user to Auth0 to be able to kind of see the user move through that flow. Everything needs to be natively called from within the application to ensure that they’re delivering not just a seamless experience to the user, but one that’s extremely high trust. So I think that’s kind of an evolution and something we’re investing heavily in.
More broadly, I think it’s not just authentication, there’s also authorization. So we pioneered, we’ve worked on some open industry research to pioneer fine-grained authorization, which we have both as an open source project as well as an enterprise managed offering here at Ossiro that basically allows organizations to apply very elegant fine-grained controls around not just who has access, but what resources they can access. So imagine you’re building an internal application for your teams, and this is becoming super relevant now in the world of AI where you don’t want to have an agent that has overprovisioned, core-scraned access to all your internal resources. You want to really be precise to say, OK, this agent or this user can access this specific document or this body of the text in a doc or in Google Drive rather than having broad-based permissions. And to do that, there needs to be quite an elegant architecture, then you need to simplify that experience of implementing these controls in a way that are both precise but scalable across the organization.
So FGA has seen a lot of demand and adoption across both B2B, B2C use cases for exactly that reason, because it builds on the foundational primitives of identity, but gives users much more control over specific data, specific resource and actions. So I think that’s something that we’re excited about. Bhawna touched earlier on the extensibility of Auth0 and Actions is a great way we do that. This is all about enabling developers to build custom logic and advanced extensibility so you can really deploy very bespoke and context aware authentication experiences for users and manage the whole life cycle of that user.
And of course, as you would imagine, behind that, we need to have a world-class developer experience and a scalable platform, SDK, CLI support, all the range of APIs necessary for our customers. We’re at the foundation. We’re a SaaS app, so we have both single and multi-tenancy kind of architecture. So we have a public as well as private cloud instances. But we really want to make sure that our customers, however they’re interacting, whether it’s through managed dashboard, through our APIs, that they can really get that level of control, that level of customization that they need for their use cases. So they can balance this need to have a secure experience for the end user, but also a delightful experience.
And as we think about the product strategy, that’s key. There’s this inherent trade-off between the two. And our view is that it doesn’t need to be zero sum. You can drive identity flows that are both more secure for the end user, but also decrease friction and enable the user to sign up, log in, manage their lifecycle cycle in a much more elegant way. And that’s what we see translating ultimately, not just into reduced security risk, but into a higher end user engagement, which for many of our customers translates directly into revenue and happy, loyal customers.
Beau Hamilton (10:47.953)
Right. Yeah, well, there’s a lot of features you got to be focused on and capabilities and components of the platform. One thing that really stood out to me that you mentioned, and again, this is kind of the bigger topic, is AI and these AI agents and how they have their own sort of autonomy, and as a developer, you really got to stay, you got to audit them and got to stay on top and track where they’re going, what they’re doing and what they’re capable of.
And it’s only going to get more automated as time goes on. But one thing that’s interesting and I want to ask you about is what kind of protocols are you following or are you utilizing? Because I know like Anthropic’s model context protocol, seems like the one I keep hearing a lot about. It seems like it’s being adopted at scale more than some of the others out there.
And basically, I guess I’ll explain kind of shortly what that is. Basically, it creates an open standard for developers to build secure two-way connections between their data and AI powered tools. And as AI, large language models, kind of consumer, customer facing chatbots started turning into and integrating with apps, this is becoming more important than ever. So how important is it to have a protocol? And my other part two the question is what protocols are you adopting and integrating with Auth0?
Bhawna Singh (12:13.304)
Well, I’d say, you know, if you look at the overall Okta posture and itself, we do play a key role in key protocols and standards. And with AI, I would emphasize further that I don’t think any organization, not just Okta, we need to lean in to help these standards evolve. One of the standards of protocol you called out MCP, we are also leaning in and we are a great partner to drop the obligations there to further evolve it to make sure it’s secure in the right places, as well as we are building authentication or you can say identity capability on top of MCP to enable that identity layer on top of the key security infrastructure.
So that’s the part of MCP, but all other protocols and standards that we’re also involved, of course, as agent to agent, which is another evolving conversation we are having, which is an autonomous agent, interacting and connecting with another autonomous agent, how will that interaction be? What are the new, you can say, attack surface? And how do we make sure that it’s protected? So that is absolutely another evolving space that we are leaning in.
And lastly, I would call out not to create a long list of efforts that we drive, which is a protocol that we have named and we have called it Cross App Access. Primarily, it’s an open protocol which drives, again, bringing identity into all of these application to application conversations. So you’re talking about MCP, where you have LLM and other systems application. We’re talking about agent to agent. But we also need to talk about, as these applications speak to each other, how will all this data and identity context with it go?
Because the key part that I would say a lot of conversation around AI agents is coming up is, how do I know that one agent that’s interacting with the second, it’s authorized, it has the right credential, I should be sharing these credentials, and how do I know that I should be sharing all my credentials with my agent and know that it will keep it secure and encapsulated? So that’s where the agent, or you can see, AI conversation is going, and that is the meta question of driving the trust into the agent and then that leading to adoption, because I think we all can agree that AI evolution has moved way faster than the adoption. And as we talk to many organizations, Gareth has discussed with many as well as I, we see trust as the foundational aspect of why adoption is not moving at the same rate as the evolution of AI has been.
Gareth Davies (14:54.037)
100%. And I think folks are recognizing that to build secure, agentic systems, they’ve got to move away from hard coded API keys and access tokens, right? And there needs to be a secure and scalable framework. And, and this isn’t just about, securing your own internal resources. It’s about being able to securely call and access third party resources. And so even if you’re as an organization, not building agentic apps today, although most everyone we speak to are.
And for some of our customers, the number, the scale and the vision for how they’re seeing AI agents transform in their business is dizzying. And it brings a whole host of not just foundational security and identity questions, but also scale and kind of architectural implications, which are really fascinating. But many of these organizations are looking to expose their own traditional APIs now wrapped as NCP servers so that third parties, imagine I’m a hotel chain, for example. I want to enable, as consumers search and search behavior shifts and folks are perhaps using Google a lot less and using a Gemini or a ChatGPT to basically research and think about their next vacation and destination, then the way information is being gathered and accessed across the web, even public information, is fundamentally shifting.
So now you have businesses that need to enable a third party AI agent to be able to, or an LLM to plug into their systems and interact with them. And so there’s an access issue, but there’s also how do these agents understand and connect with their resources. And this is where we’re seeing really the rise of MCP being a big transformation. Some people have quit that there are more MCP servers than there are users out there, right? Everyone’s kind of rushing to build. So as the API architecture gets decentralized and you have many agents talking to one another, finding ways to be able to connect becomes critical. And certainly, another one on top of A2A is the AP2 protocol. So this is an evolution of agent to agent, but coming out of Google’s work with a focus here on agentic commerce.
And this brings new concept like very viable credentials. So let’s say I’m gonna instruct an agent to buy, let’s say Taylor Swift’s having another concert, right? She’s gonna be in San Francisco, my 10 year old daughter and my six year old really wanna go. Let’s say I’m willing to pay, I’m feeling like a generous dad, I’m willing to pay, I don’t know what the price is, four or 500 bucks, it sounds eye watering. I might instruct my agent, and that’s the beauty of the agent, is that they are, whilst driven by our prompts, they’re semi-autonomous and they operate asynchronously. So that agent can be running in the background waiting for tickets to appear that fit the profile. Now I’ve got to authenticate as a user at the last minute and say I’m willing to do that.
So what you have is some sentiment of intent upfront that the user is willing to purchase. And then you need a mechanism. For us, that’s async authorization, where the user could be prompted at the moment of truth to be able to authenticate the transaction. But I think the whole point here is that there are new ways that the industry is thinking about recording and validating the user’s intent of a purchase. And so this is where an agent-to-agent protocol comes in line with this concept of a verifiable credential.
So these are areas of innovation that we’re really excited about at Okta because we think this fundamentally changes how industries operate, but it requires the whole industry to come together. It can’t just be Alt Zero or Okta. We have to do that in collaboration, whether it’s with Anthropic or Google or many other providers, so that the primitives and the foundations are there for developers to build really delightful and innovative experiences.
Beau Hamilton (18:58.213)
Yeah, I think that’s what’s so fascinating about these, those protocols you mentioned is just that there hasn’t really been a standardization and a certain way to go about it. That, you know, customers feel like they can, they can really trust it and adopt it. Cause right now, like you were saying, Bhawna, we’re, you know, we’re in that sort of AI era or stage where it’s still being adopted, adopted like by the industry, right? Like it’s it’s you have to kind of tread cautiously and carefully when you’re dealing with so many customers and you know, there’s so many opportunities for things to go awry but I think by by singling out those protocols and then obviously with your platform and the reach and adoption you have I think that gives a lot of kind of credibility obviously to the the protocols you mentioned and are working with and adopting as well as your own that you’ve you’ve mentioned you created.
Bhawna Singh (19:55.692)
Well, I wanna be clear, we have named it. That is the only creative, but it’s an open protocol and we are partnering there with the right groups to make sure it’s done right. I want to kind of plus one to the point you made, Beau, and it’s so important to emphasize that, which is the reason industry has to come together and align behind new key standards and make sure we strengthen them is so that we don’t have a, you know, bunch of the protocols and standards that then nobody knows, you know, what’s the right one and who to go to, because that again will become friction and adoption. And we are trying to avoid and bring down the friction and the lack of trust so that we can drive the adoption because the technologies and the AI evolution certainly has a lot of potential and a lot of companies have some very innovative ideas to drive some fantastic idea outcomes, I would say.
Beau Hamilton (20:54.065)
That’s a really good point ’cause you, yeah, you wanna build trust. And again, it’s like, you don’t want anything to any security breach, reducing the number of the surface area for exposures, improving vulnerabilities. I think a lot of your last couple of answers would answer maybe this next question, but I wanna still pose it anyway. And I think it, again, it looks at the long-term trajectory of where things are going. In your view, feel free, whoever can tackle this, what does it take to just build a really strong, secure identity foundation that’s set up to stand the test of time, right? I know it’s hard to think about the next few years with how quick things are going, but would you say it’s like by adopting some of these protocols and establishing a strong foundation now with them is that’s something you could really do to build that foundation that’s so important?
Bhawna Singh (21:55.842)
I think that’s a start. I think the platform that got described during the features question, which is our Auth0 for AI agents platform, many of those features are available for everybody to try out. It is going to GA in three weeks, but we certainly have the features available. That is the foundational aspect as we looked at all the different use cases of anybody would be building AI or GenAI based applications.
For example, you certainly need authentication. You certainly need to control the data access. So you need fine-grained access there. You need to make sure that your tokens secure. So you need a token wall to secure all those tokens. So your AI agent is not bothering some human to say, okay, can I access this application? That’s the opposite of what you want from AI application. And lastly, you certainly need Async, the example of Taylor Swift that wonderfully Gareth gave, if this agent finds that right ticket, which I bet the agent will fail into for Garrett’s budget. But if it does find it, it can quickly, or if it doesn’t, it can say, Garrett, can’t find for 500, but here’s the 700 bucks. Do you approve? We need those capabilities.
And that’s what our odds are for AI agent, a platform provides out of the box APIs. You can just plug in and it’s working. It works for you. And then with these standards layered on to make sure it’s done right, but also not just us, any other technology and application that plugs in or wants to plug in can plug in with these standard, you know, specs that we are all following.
And then I want to layer in another aspect, which is now which you were talking about in your introduction, which is governing and keeping tabs on these AI agents. That’s where the Okta platform comes in and brings that layer in. So when we think about AI agents, we call about how we think about AI security. We talk about identity, will, and should be driving that security layer end to end. And Auth0 and the Okta platform brings that end to end security for AI.
Gareth Davies (24:09.045)
And I think just one totally on board with everything Bhawna said, I think the critical point to highlight here is that this is not reinventing the wheel, right? We’re we’re experiencing a fundamental technology revolution, right? That we’ve had mobile, we’ve had social, we’ve had cloud, right? We’ve seen transformative businesses change the shape of the digital economy as a result, both in enterprise and across consumer and AI is just bringing a whole new paradigm to the table. But the foundational building blocks of who should and can have access to what resources for which use cases is a core question of identity. So I think what’s been exciting for us is we’re thinking about how do you take already a globally leading scalable identity platform and evolve it for this new paradigm.
But we’re still talking about identity. Now we need to bind agentic identity to an individual’s identity, and we need to manage permissions. But the foundations are the same. So we’re already building on OAuth and OIDC and all the foundational protocols that drive identity. And we’ve been at this for a long time. So it means we get to have these very rich conversations with customers around how do they build these delightful but secure experiences. And part of that is also just ensuring that we’ve got a secure, scalable, reliable, highly available platform. We’re doing everything we’re doing to already implement best-in-class identity to thwart attacks. And then we’re adjusting for this agentic future. And I think that’s where, as an industry, there’s a ton of learnings and an opportunity to share so that we can find and identify the right identity patterns that ultimately create the most value.
Beau Hamilton (26:00.559)
Right. Yeah, there’s so much excitement. I mean, what around the customer facing kind of tools and applications. but then there’s just like learning about all the behind the scenes required at the foundation. And, although a work is required to make a lot of these customer facing, applications possible, is, I mean, most people don’t, aren’t aware of it. Of course, there’s so much to learn, talking with you guys to kind of help kind of explain the behind the scenes and the importance of authentication and validating users. obviously, like you saw, OpenAI starts partnering with more and more companies to help kind of commerce companies to like buy, facilitate transactions in the app, in the chatbot. And just everything that’s required to accomplish that is really fascinating. It needs to be done right.
As far as like your platform and your compatibility with different organizations, how would you say different teams with different sort of technical expertise are able to approach your platform Auth0, in their environments and for their specific needs? And what’s the learning curve associated with it? Is it pretty easy to adopt and scale with all sorts of different needs?
Gareth Davies (27:26.665)
Yeah, I mean, I think Auth0, I mean, kind of historically, our genesis was really helping fast growing developers in rapidly growing startups and organizations of many sizes abstract away the complexity of identity. You don’t need a PhD in identity. So we help you get rapid time to value, very developer focused, providing that tooling to deliver this great identity experience out of the box.
I think that continues to be true today. And we have hundreds of thousands of developers live in Auth0 at any given moment, building from the smallest hobbyists to the world’s largest organizations, the biggest technology giants are leveraging Auth0 to ultimately enable and drive identity and scale. So it’s truly across the board on a global basis. And so in reality, in many ways, the implementations may be very different if I’m a large Fortune 500 or Fortune 200 organization. Chances are I’ve got a legacy stack of identity vendors, I’ve got homegrown systems, I’ve got multiple internal resources, multiple customer facing apps, and there’s a lot of complexity. And for these folks, then that’s where we kind of bring the kind technical architecture and our consultant teams to come in and really define and understand the scope. And so that engagement will look quite different.
But ultimately, when developers get hands-on keyboard, everything is geared around world-class developer experience, documentation, SDKs, tooling, so devs can get fast time to value. And that’s a never-ending investment. That doesn’t end, right? If you think about the number of technologies and frameworks and SDKs we need to be able to support making sure now in the agentic world, our docs don’t just need to be human readable, they need to be AI readable. So that’s required a wholesale shift of our doc infrastructure so they can conform to LLM.text and they can be exposed to LLMs.
And then another thing I’d add is as developers are increasingly leveraging new tooling and we’re seeing AI, again, this wasn’t meant to be an AI answer, but we’re seeing the way developers build software is evolving and is increasingly, your copilot, your AI enabled IDE is a accelerant for their productivity. And if you’re a smaller company or certainly we do in our own product teams, we’re using the V0s of the world and the replets and others to do vibe coding. That’s not ending up in production. We’re prototyping ideas and just getting things down quickly.
But this is a good example of where the tooling the developers use is evolving. And they’re using AI-enabled technology to actually build and design experiences. And so all of this means that it’s a constantly evolving investment to make sure that we’re delivering that experience and making it easy and delivering fast time to value. But whether we’re dealing with the smallest hobbyist to, again, Fortune 200, 100 company globally, everything’s anchored around designing the right implementation so that they have strong foundations and they can scale.
Beau Hamilton (30:48.369)
Now, when those teams are kind of first up and running, I’m curious, like, what are some of the results they’re seeing maybe firsthand that you wouldn’t maybe think about? Because like, I don’t know, when you think of cybersecurity and just the security approach in general, it’s like, it’s not really an issue until it is, you know? And so when you have a robust security platform, authentication platform, you know, it’s, you wouldn’t expect there would be an issue anytime soon or implementing it. So are there any other measurable results you see teams notice after they adopt?
Bhawna Singh (31:27.288)
Yeah, let me share a few. But I would also call out that I agree with you that cybersecurity isn’t an issue until it becomes an issue. But I would say successful organizations, the way they are making decisions and driving outcome and results, are they are thinking about it ahead so it doesn’t become an issue and not wait for it to become an issue. That’s a very good point, right? And I think some of the great outcome, out of the box, you get a secure platform, which is highly available and making sure it’s compliant. So that’s kind of out of the box as part of our foundational outcome, which is key because now you’re not wondering, am I, you know, am I checking this box? Am I checking certain compliance or even security checks and everything? So that’s certainly something that they get.
But on top of that, I think as we call it out, flexibility is a key part to drive user conversion. And we have seen higher conversion rates from our customers as much as they have reported seeing 54% increase in conversion, certainly reducing login time, because latency is certainly something that we keep in mind as we also build as part of technical requirement. Gareth called out bar detection as a feature. We certainly have multiple attack protection capabilities in our system which also something that our customers use that allows them to make sure that they are getting the right traffic and not all traffic. So that’s another aspect that they see out of the box.
To quote one of our customer, Cinepolis, I would say, they saw 300% increase in new loyalty customers, which is huge within three months of bringing odd zero in. And they also saw 16% reduction in fraudulent transactions that sent from fake accounts.
These are all key capabilities that many organizations get. A lot of them, I would say, they expect to get as well, but also that the numbers that they see and when they report is just a huge, you can say, motivation.
But I’ll also call out the last one, I feel is also something that they look for when they bring up a product in, which is, how do we make sure that they are now the developers can focus on other innovative ideas? Because especially with AI, they have so much on their plate to do while the expectation is that it doesn’t come with more headcounts. So how do you drive this innovation in the AI space while making sure that your team is focused on innovation and not the day-to-day keep up, right? So that’s another place that bringing the product in and kind of gives you out of the box all of that support so that you can focus on innovation and bring your technology team to drive more new products, new innovative ideas.
Beau Hamilton (34:20.793)
Yeah, when you think about that ripple effect, right? From freeing up a developer’s time and what that allows them to do, I mean, that just speaks volumes, you know, aside from like the friction around logins and the fewer security incidents, which are both very positive effects, the more time a developer has just to actually maintain their product and maybe build out new features of their own. I mean, it’s a win-win. And it just kind of underscores that like AI efficiency era we’re in, which I always like to call it. More than the agentic era, I just always like to refer to it as the efficiency era. ‘Cause it’s just, I mean, you hear of all these gates, the 300% improvement in three months is a huge stat.
Bhawna Singh (35:04.43)
Yeah, you’re spot on. Did you just call our product an efficiency product? I think we will take it.
Gareth Davies (35:09.494)
And just, I think we covered it, but there’s efficiency and then there’s trade-off on risk and delight. But what’s exciting when you see customers that reduce their risk, you see their attack surface diminished, Huge increase in fraudulent block traffic and a drivering increased customer engagement and conversion and growth. And I think that’s one of the things that we’re really working on is how do we empower our customers and their teams to be able to tell that story. Because oftentimes identity is considered this like foundational. Of course, we need identity, we need to be authenticating, being able to authenticate and manage users. But it is so central to mitigating risk. The vast majority of attacks and security breaches come in through the identity, you know, the identity path. But it’s also essential to this delightful, frictionless end user experience that we all expect as users, whether that’s B2C or even in an enterprise B2B environment.
And so if you can deliver that, then it becomes a strategic growth lever for the business, in addition to all the other benefits we’ve talked about. So we’re thinking through how do we empower our customers with the tools to be able to not just quantify those outcomes more directly, but also to configure and to toggle that kind of that trade off so that you can get the right balance based on your business goals.
Beau Hamilton (36:35.781)
Now, is there maybe an unexpected feedback that you’ve received or maybe learned from your customers or the market that’s kind of changed or altered your approach? mean, I know this is kind of a new area with some of these AI innovations. So I imagine you have kind of realized what works, what doesn’t. But anything in particular that might come to mind where, yeah, that’s been like a learning experience for you?
Gareth Davies (37:05.878)
Real quick on the AI1, I’ll pass to Bhawna. think just the sheer size and ambition. plenty of folks are trying to figure out this agentic identity problem. We were first to market with a really exciting set of capabilities, which as Babna mentioned, is about to move to GA. I think
When we started on that journey, we didn’t know what we were going to learn, right? It’s very much, this is uncharted territory for pretty much everyone industry-wide. And so I think there was a hypothesis upfront on the product side that, listen, we’re going to see, we’re going to see appetite from large organizations, but they’re going to be a little bit slow. We’re going to see startups, particularly the AI native startups that are busy disrupting traditional enterprise software. So, you know, anyone who’s, you know, my AI SDR, right, company or, you know, AI driven workflow automation, whatever it is, there’s a lot of capital, particularly in San Francisco and Silicon Valley, anchored around this new wave of AI first B2B SaaS startup. And we’re absolutely seeing innovation there, don’t get me wrong, but I’ve been blown away by the number of large established enterprises, you know?
Just today we’re talking internally, I won’t reference the customer, but big global Fortune 100 looking to roll out to 1,000 agents per customer. So this is just the scale and the ambition of organizations and the amount of investment and R&D dollars that are going behind building and testing agents at scale for both internal and customer-facing use cases. I think it’s maybe a couple of orders magnitude more than we had expected at this stage.
Now, listen, it’s still super early. We’ve got to see how that translates into real production applications and what the net value is. And ultimately, there are financial calculations. Wall Street is going to judge how effective many of these implementations are. But I think there are some pretty, like, the conversations we’re having with, like, know maybe the 100 of our largest enterprise customers, there’s a really significant investment to build real production at scale deployments leveraging AI. And I think certainly for us that was a positive surprise. It wasn’t a shock, but it’s a little earlier than we’d expected. And so now it’s how do you, how not only do you have the feature set to solve these kinds of problems, but how do you ensure that you’ve got security and you have infrastructure at scale that can respond to some of these use cases? That’s the next part of the equation.
Bhawna Singh (39:44.11)
Yeah, I’ll add one here as well, which is in addition to that, think a little over a year, as the AI journey started for many, the acknowledgement of bringing an identity into it to make sure that it’s done right was not quite there. It was still in the conversation. It was still less understood.
And I would say today, the customers themselves have a great understanding rather than explaining why identity is needed as they are building these AI agents. The very example that Gareth, you just called out. They themselves called out that given we have to roll out these many agents, I need an ability to observe them, control them and manage a life cycle and act that you have to help us. That’s a key change you can see our shift in the industry from the customer point of view.
On the aspect of, would say, very interesting learning, even for us as we were developing in this space, was we have been working with apps to app conversation, or we have been unlocking app to app interconnection. But with AI, it just became a multifold. To give an example, now apps and agents are going to make decisions by themselves, which means now we need to unlock and give them the token ability or ability to access these tokens and share with each other. So that’s, that was a very unique use case, which we didn’t start with to say, this is what we are trying to build. were of course, authentication authorization, the usual stuff.
But as we start started to see the actual application build out, we saw the, the token, the keys just around in in a notepad, in an application all over the world in the space as, as we saw the development. we realized right away. We need to solve that with something that we call token walled primarily because that’s security one-on-one and we are going backwards. So that was a very interesting, I would say observation for us. And then that led to an innovation in the platform.
Beau Hamilton (41:55.932)
That is really interesting. Yeah, because you don’t want to go backwards, of course. But I think on the flip side, what you were saying earlier about a lot of these companies you work with, I mean, they recognize the immediate kind of glaring security holes and issues there. So they want to be proactive because obviously you need to be proactive because it only takes one major issue, one widespread breach, whatever it might be, especially if you’re a publicly traded company, or just to really decimate your brand image, really hurt your customers. So you gotta be proactive. That’s really important. I think that’s one thing, just focusing on that strategy. It kind of helps you stand out from the competition, the other kind of players in this space working on tackling this issue, right?
Bhawna Singh (42:42.434)
I’ll add one more thing that has been an industry, would say controversy, which is if agent does something wrong, whose responsibility is it? And if you really think about it at a very deep level, it again maps to whose identity is that agent using. And what does it map to? Either it’s a human or a service or account or admin, whatever, right? Because it’s doing things to serve a purpose and what that purpose is and whose identity it is mapped to. That’s where the accountability lands. So identity truly solves all these controversial unsolved question as well, if you bring it in the right way.
Beau Hamilton (43:34.897)
Perhaps unless, until we approach that kind of autonomous AGI sort of artificial intelligence realm, where then it becomes maybe harder to point the finger at the blame game with who’s at fault, right?
Bhawna Singh (43:51.246)
Well, let’s hope for that future to come and then I’m sure we will find an identity that will solve that too. What do you think, Garrett?
Gareth Davies (44:00.593)
Yeah, well, now we’re going to get into a discussion on consciousness and, you know, emergence. But yeah, I think, listen, non-determinism, right, these agents are non-deterministic. So the prompt is still very much driven, right? And they’re an agent. So they work on behalf of the individual, right? So I think that’s baked into the name. So I think the good news is that in today’s world, we can absolutely bind an agent to an individual. And having the audit chain and the ability for organizations to see which agents are being deployed, resolving the shadow IT risk, and ultimately bringing accountability and full audit trials towards the whole lifecycle is really important, both within organizations and for end users. But the good news is these agents are still ultimately operating for us.
So that’s why we’ve got to think slightly differently. That’s where, for example, async auth and bringing the human back in the loop at the right time is an important design principle. yeah, I still think, I know, we could debate about the path to AGI. I think we’ve got a little bit of time. But yeah, we’ll have just another type of identity we’ll need to manage. So I think we’ll be excited to see how that unfolds. And I’m sure we’ll have a role to play there, no doubt.
Beau Hamilton (45:21.955)
Absolutely, yeah, there’ll be definitely some solutions that people think of to tackle that issue. But I think we’d have to, we’ll have to have you back for another episode to tackle that widespread topic, you know?
Now, yeah, we are coming down to the end and I just kind of want to see if maybe you can, what’s coming down the pipeline in the next few years? Everything’s AI and agentic AI right now. But what are you focused on? What areas are you really focused on and most interested in kind of exploring that you think will really have the biggest impact?
Bhawna Singh (46:30.018)
Well, things that I, of course, outside of the building this platform to enable secure agentic development, which is key, which is something as a technology leader, it baffles me to see how AI evolution has happened, but the adoption is so far away.
And as a technology leader, I certainly want to solve for that. And I’m certainly inspired that I am hoping and my team is hoping and all of us are kind of building something to enable that. That certainly is an exciting part. The second aspect of course is unlocking this future of AI. And as you know, as we are coding thousand and whatever that number becomes, I think it change, it will change a lot of how we are developing. So certainly in my team, we are having architectural conversation of what kind of pressure points will it put in our data stores, in our APIs and all of that.
And I mean, I’ll give you another aspect I would say here is attack or even, you know, traffic patterns. A lot of our decision making and when I say our, I’m talking about technology, not just not Okta or Auth0, where technology decisions are made because traffic goes down at a certain time of the day versus a different time of the day. That will change when we have agents are running and doing something 24/7.
Another type of decision, even security that we make based on which GEO a certain call is coming. That will also change if there are agents running from different places. So these are foundational and fundamental shifts in the technology ecosystem that will have to be rethought and re implemented, I would say. And those are all the conversations I am kind of thinking about and figuring it out to see, from my company’s perspective, but also technology ecosystem perspective with my fellow leaders.
Gareth Davies (48:26.484)
Yeah, I mean, I think that we’ve covered a ton of really interesting points. I would try and synthesize it as saying, identity is the foundation of secure and trusted digital experiences, and even bridging the digital and the physical world. And as any modern organization wants to, you know, if you’re not a customer first digitally native organization delivering a world class experience, then you’re not competitive. so
As the threat vectors expand, as the consumer expectation for delightful frictionless experiences just continues to grow, and then we have these evolutions, foundational evolutions, shifts like AI, the good news is that the foundations remain true. We need secure, scalable identity foundations that enable users to access the right resources for the right use cases.
We’re going to continue to invest in global scalability to support customers and developers all over the globe. To continue to do that with high availability, reliability, really investing in our security product suite, because even if you’re leveraging many of the large security vendors, security for identity has a certain set of discrete and unique properties and problems. And I think we’re really well suited to help our customers navigate some of these challenges. So I’m excited to see how we continue to lean in. The security threat never reduces, it always grows. So we have to be vigilant and we have to simplify this for our customers. But we have to do this in a way that continues to unlock value and drive delight and delightful consumer outcomes that ultimately drive sales and loyalty and everything we talked about in some of those references.
So I think this is where many of the things we’ve talked about, AI, scalable foundations, our embedded API first strategy to enable orgs to build these really delightful, pixel perfect branded experiences, but also really getting more maturity around your authorization frameworks, which is where FGA comes in. I if we can continue to bring these to the industry and invest industry wide in these open protocols, then not only are we serving our customers and developers, but the industry’s evolving, which translates into more delightful and secure experiences for everyone and a safer internet. And for me, that’s really exciting. we’re purpose driven here. Of course we want to grow, but we want to secure the internet and empower our customers to unlock value. So that’s where we’re going to keep investing. So yeah.
Beau Hamilton (51:08.997)
Well said. You’ve, well, you’ve given us a lot to think about and I appreciate everything that you shared. I know my mind just, and a lot of the, you know, family and friends I’ve talked to about the AI because it’s, it’s, obviously not just a tech industry topic of discussion. It’s a worldwide phenomenon and seeing all these headlines about all these investment mega deals with data centers and cloud deals and partnerships is one thing but I think there’s a lot of disconnect with with kind of the general public about like Is this actually resulting in tangible, you know, delivering anything measurable like that will actually improve our lives.
But I think talking with you two and other others in the industry. It’s like there’s I mean, this is really a major focus point, there’s and and I think hearing about that foundational like whether it’s the the protocols you’re you’re adopting but just the general kind of foundation and approach you have to making sure this new technology can be adopted as smoothly as possible is really what we’re all going to be thankful for. And I think there needs to be more attention to that, more importance and focus on the kind of back-end side of things that are so important. So a lot to unpack, a lot to talk about, but I appreciate, again, everything you’ve shared with us.
Beau Hamilton (52:34.138)
Of course, to summarize, Bhawna Singh, CTO at Okta, and Gareth Davies, Chief Product Officer at Auth0. Thank you again for everything. Hope to have you back on these days.
Bhawna Singh (52:31.992)
Thank you, it’s been great, yeah.
Beau Hamilton (52:54.607)
And thank you all for listening to the SourceForge Podcast. I’m your host, Beau Hamilton. Make sure to subscribe to stay up to date with all of our upcoming B2B software-related podcasts. I will talk to in the next one.