After announcing our Series E funding this past May, our CTO and co-founder Matias Wolowski wrote a meaningful blog post about Auth0's evolution over the past six years and our vision for where we're heading. We believe that our placement as a Visionary in the 2019 Gartner Magic Quadrant for Access Management* is another opportunity to reflect on a few customer trends behind that vision.
According to the report, "SaaS-delivered access management has become the norm, as has advanced user authentication including MFA. AM vendors are maturing their approaches to session management, contextual and adaptive access, and API protection, which will begin to enable CARTA-aligned access management approaches."
Customer trends brought to our mind by these themes are:
Universality: Some identity features are not necessarily user-specific - e.g. identity features typically used for consumers accessing an app are also being used for business users.
Security: Security practitioners want identity solutions to enforce policy and export security data to their own tools vs. do the analytics and create yet another dashboard to look at.
Developer-centricity: The influence of developers on identity tools benefits the broader team involved in identity in terms of licensing simplicity, speed of implementation, and customization capabilities.
Trend #1: Identity Features That Are Beneficial beyond One Use-Case
One of Gartner's criteria for inclusion in the Magic Quadrant report is, "Vendors must have marketed and sold products and services in 2018 to support all major use cases (B2E, B2C and B2B). Substantial customer numbers for each use case were required. For example, CIAM solutions that are only or mostly marketed to support only B2C use cases were excluded." We know that Auth0 has been a universal platform since day one, designed for any and all use cases, so it's relevant for us to dive into features intended for a specific audience and see if our customers are finding them helpful for other users.
For example, an e-commerce app might offer sign in via social login with Facebook or Google, whereas a B2B SaaS app would be more concerned with connecting to enterprise identity providers like LDAP or Office 365 and having a delegated administration functionality to manage their customers' users and permissions.
What we are seeing more and more, however, is that applications are serving different kinds of users concurrently. And features that typically would have been only considered for a particular use case are becoming surprisingly helpful for others.
For example, SSO is an important functionality for both enterprise and end consumer users. But consumers prefer to sign in with social login, which lowers login friction and increases conversions. There are social logins that are more relevant to business versus end user audiences, but customers are using the same login box for an application that caters to both enterprise and end consumers, with a social login option for each. For example, GSuite for enterprise users and Facebook for consumers. And SSO works — from that login box as a start — for each type of user.
A more surprising example is multi-factor authentication. This is widely used among business users but is traditionally believed to have a lower adoption rate with consumers due to its perceived impact on the user experience, and slowing down the login process. Our customer data shows that MFA implementation actually increases when applications include both end consumers and business customers, versus apps that only have one or the other. We are analyzing this to discover if the underlying cause is that these same customers have also possibly put tools in place like Step-up Authentication or Contextual MFA to lower the impact on their end users.
Trend #2: Identity Playing an Integral Role in Overall Security Strategy
According to this year's report, "Gartner's evaluation of vendors' products and services in this Magic Quadrant included new considerations about the vendors' primary ability to provide AM solutions that either offer embedded or integrated identity corroboration capabilities for CARTA." CARTA stands for "Continuous Adaptive Risk and Trust Assessment."
Our vision is to provide people with secure access to any application in one click or less, so this concept touches both on the element of security, as well as good user experience. We have confidence scores, a part of our own Continuous Authentication roadmap in Early Access at the moment, and we think adaptive security is particularly important to the future of identity.
Gartner specifies that "to embrace an adaptive approach, Gartner evaluated AM vendors' capabilities to address at least these three needs:
Context-based "conditional" access control.
Integration between applications and other sources of risk context information. This can be provided via an externalized authorization architecture (OFA, CASB); an application wrapper and protocol interpretation; a WAF; zero-trust network access (ZTNA; formerly a software-defined perimeter); or an API gateway.
Continuousness. Risk and trust automatically assessed for every interaction throughout every session --- and this can come only through integration with applications."
To us, this suggests that no identity vendor is ever going to have all the security analytics and data, making the ability to integrate with other, more advanced and specialized tools, a necessary strategy.
In order to find anomalies in massive amounts of security data that flow from a multitude of products, well-defined and purpose-made incident response tools are the de facto best practice for mature security teams. Our customers seek the security data that comes from our platform as a way to enforce their overall security strategy. With our mission of securely enabling access to any application in one click or less, our customers no longer have to choose between security and user experience. Both can prevail.
We also have a strong interest in how our customers digest and use the security data from our product. Our vision includes an optimal and secure end user experience as well as providing an optimal experience for the teams tasked with making sense of and acting on the security data.
Our customers want us to be able to integrate with other, possibly more advanced, visualization, auditing and analysis tools as part of their overall observability strategy. They value the auditing, logging, and policy enforcement power of Auth0 alongside the ability to export that data to the tool of their choice.
Trend #3: Developers Are Empowered to Make Decisions That Impact the Bottom Line
Matias's blog post highlights the visual below, with the developer in the center, surrounded by the architect, product manager, IT admin, and security engineer.
Source: Auth0, 2019
This entire ecosystem benefits from licensing simplicity and speed of implementation. No matter how simple you think your pricing model is, customers still want it to be even more straightforward. And developers need to get the job done to move the rest of their work forward. For them, identity is not the be-all end-all — far from it. It is instead a difficult, time-consuming speed bump that can quickly become a thorn.
And the onus doesn't just fall onto the developers, even though they are the ones implementing it. Their efforts have a ripple effect, including architects with migration deadlines, product managers with revenue targets based on launch dates, and IT Managers panicking over compliance deadlines.
While identity is historically very tricky and requires a lot of customization, vendors who have figured out the right mix of the out-of-the-box and customization capabilities empower developers to get identity going quickly, and this benefits the rest of the team, and bottom line.
We are constantly learning from our customers and take their feedback to heart, not only to predict where the market is heading, but to continually improve upon our platform. We are excited to be in the Gartner Magic Quadrant for Access Management as a Visionary for the second year in a row and are thankful for our customers who continue to teach us about the true impact of identity on their goals.
If you would like to learn more about our vision, platform, and how we can help your organization, don't hesitate to reach out.
*Gartner, Magic Quadrant for Access Management, Michael Kelley et al., 12 August 2019