Okta to Acquire Auth0 for $6.5B

[jfengel]

If Okta is ever compromised, they have a team of people working 24 hours a day to deal with it as quickly as possible. And, of course, to prevent it from happening.

When it comes to security, it's often a pretty good idea to put all of your eggs in one basket, and then make sure it's a really, really good basket. Unless you're certain you can make a better basket yourself -- and when it comes to auth, there are a lot of ways to make bad baskets -- it's better to use somebody else's basket.

It's not perfect, but I know I'm not an expert in auth. I use Auth0 and then get on with the rest of my work.

[the_duke]

You are arguing from the perspective of a single company, while the parent is arguing from an ecosystem perspective.

Sure, for a single customer it's good to have a widely used product with a big ops and security response team.

But if so many companies use a single provider, the fallout of a compromise also becomes much larger. This makes attacking the system more appealing and attracts more sophisticated adversaries, including state actors.

Also, size doesn't necessarily lead to a better, more secure product. It often does for well-run, modern IT companies.

But any familiarity with the enterprise software space is quite sobering in this regard.

[mooreds]

Monocultures are more efficient, until they aren't.

[invokestatic]

I've heard the exact opposite for security: defense-in-depth. For example, IdP with Okta and 2FA with Duo. This seems much better to me.

[diatone]

Agreed.

To add something useful to the conversation & giving the benefit of the doubt: maybe the parent was describing a situation where an org didn't have a cohesive security plan. If half your people are using one service, and the other half are using another, you've got a problem. I suppose this can blow out in complexity, and maybe risk(?), once you're stacking services (IdP, MFA, ...).