Online data breaches are on the rise, and it’s no great mystery why. In a recent survey conducted by LastPass, 59% of respondents said they reused passwords across multiple accounts and more than half said they hadn’t changed their password in the past year. About 95% of cybersecurity breaches are attributable to human errors like these, in fact, and malicious hackers are taking full advantage: It’s estimated that there’s a cyberattack every 39 seconds on average.
Bellevue, Washington-based identity-as-a-service startup Auth0 intends to reverse the trend, and it’s raising capital as it acts on its plans. The six-year-old company today announced that it has secured $103 million in series E financing led by Sapphire Ventures, with participation from existing investors Bessemer Venture Partners, K9 Ventures, Trinity Ventures, Meritech Capital, Telstra Ventures, and World Innovation Lab. The cash infusion values Auth0 at $1 billion, and it brings its total capital raised to about $210 million.
The new round comes as Auth0 continues to double customer growth and revenue year-over-year, according to CEO and cofounder Eugenio Pace. Current high-profile clients include Mozilla, PBS, Atlassian, Bluetooth SIG, Nvidia, Harvard Medical School, News Corp, Whitbread, HarperCollins, Mozilla, Nando’s, Talbots, AMD, C.H. Robinson, Nvidia, Tableau, Safari, Schneider Electric, Accela, and FuboTV, and over 7,000 others in more than 70 countries.
“This … is validation that what we are doing and the platform we are providing are is imperative for the success of our customers,” said Pace. “Businesses cannot afford a data breach, and this investment is a key indicator that identity management is an industry worth investing in.”
The company’s identity platform suite — which can be deployed in the cloud or on-premises — supports single sign-on (SSO) through a universal flow that directs users to a centralized authorization server. Auth0 asserts that because authentication takes place on the same domain as the login, credentials aren’t sent across origins, protecting against attacks like phishing and man-in-the-middle.
If all else fails, Auth0 detects password compromise in real time by checking against a database of “hundreds of millions” of breached credentials. It notifies affected users automatically, via email or text, and it gives admins the option of preventing access until after they reset their passwords.
Auth0 boasts integration with popular platforms and protocols like Google Suite, Microsoft’s Azure Active Directory and Active Directory Federation Services (ADFS), Lightweight Directory Access Protocol (LDAP), Security Assertion Markup Language (SAML), and even Facebook, Twitter, WordPress, GitHub, Yahoo, PayPal, and AOL. Its account-linking feature can consolidate duplicate user names across providers, and Auth0 allows customers to customize the authentication experience with custom-branded domains and a web and mobile login widget — Lock — that can be embedded within apps.
On the management side of things, the company’s dashboards afford control over user account provisioning (and deletion), permissions, and identity providers, and offers full visibility into authentication, device, login history, and location logs for auditing and debugging. Moreover, Auth0 hosts tools that surface data for personalized user targeting, and that enable granular control over features like social logins, multi-factor authentication, and anomaly detection on a per-app basis.
Other spotlight Auth0 features include a powerful rule builder that automates things like verification emails and app authentication. With respect to certifications, it supports standards-based protocols including OpenID Connect and OAuth2, and it’s compliant with organizations and regulations such as SOC2, PCI DSS, ISO27001, ISO27018, EU-US Privacy Shield Framework, Gold CSA Star, GDPR, and HIPAA.
That’s not all. Auth0’s Passwordless widget lets users login without a password via SMS or email, and its Guardian app for iOS and Android enables them to authenticate themselves or deny login requests with the tap of a button. Additionally, Auth0’s multifactor authentication framework facilitates one-time login code delivery via SMS and connections with third-party token generation apps like Google Authenticator.
Auth0 isn’t alone in a global identity and access market that’s anticipated to be worth $22.68 billion by 2025. New York-based Socure nabbed $30 million in February for its cloud-based identity verification and fraud prevention solution. Global identity verification provider Onfido raised $50 million just last month, and troubled identity management firm Jumio recently found more stable footing and launched a new authentication product. More recently, identity and credentials verification firm Evident raked in $20 million.
But Auth0 asserts that rivals lack its scale — and its robustness. To date, it’s prevented more than 1.3 million malicious logins with 99.9% uptime, it handles between 80 million and 1 billion transactions every day and more than 2.5 billion logins per month (up from 1.5 billion logins per month in May 2018).
Auth0’s free plan supports 7,000 free active users and unlimited logins, while the $13 per month Developer plan nets database migration, role management, email customizations, account linking, and custom domains for up to 1,000 regular active users. The variably priced Developer Pro and Enterprise plans add support for external users.
“Auth0 has demonstrated incredible momentum and continues to be a shining model for unparalleled technology, leadership, and growth,” said Anders Ranum, managing director at Sapphire Ventures. “You can see Auth0’s ethos in the product itself — a highly sophisticated cybersecurity platform that’s universal, scalable, and extensible. The company is changing the approach to business by offering a platform that any company can use to protect digital identities.”
In addition to its North American headquarters, Auth0 has offices in Buenos Aires, London, Sydney, and Tokyo. It employs nearly 475 people, 316 of which joined in the past two years.