Auth0’s Matias Woloski on prioritizing the developer experience

The Auth0 co-founder and CTO discusses the company’s focus on developer experience, the possibilities for decentralized identity, innovations the Auth0 Lab team is looking at now, and more.

Matias Woloski, co-founder and CTO, Auth0
Auth0

Matias Woloski is co-founder of Auth0, a leading innovator in identity and access management (IAM).  He currently acts as its CTO, a role to which brings a forward-looking dynamism.

Auth0 is a cloud identity platform that helps developers deal with authentication and authorization.  It was founded in 2013 by Woloski (CTO) and Eugenio Pace (CEO) via remote partnership while Woloski lived in Argentina and Pace in the US.  It was acquired by Okta in May of 2021 for $6.5B

The Okta-Auth0 partnership brought together the enterprise mastery of Okta with the developer-first services of Auth0, making for a cybersecurity juggernaut.  As part of Okta, Auth0 has continued to improve core features for developers and at the same time throw a spotlight onto coming innovations in the space including web3 technology.

I had a chance to talk with Woloski about Auth0’s ongoing research into areas like fine-grained authorization, the impact of web3, major cybersecurity threats, and nurturing innovation in a large organization.

Matthew Tyson: Auth0 has been remarkably successful in helping developers deal with authentication and authorization.  From my perspective as a developer, Auth0 is compelling because it gives me three things: a remote API to integrate with, in-code tools to make the integration more painless, and a web dashboard for management of the IAM data.

How would you describe Auth0 in the broadest sense?  Where does it fit into the developer’s landscape?

Matias Woloski: Think about Auth0 like an authentication and authorization microservice, built by a team of hundreds of developers, with all the features you would normally have to build yourself. Auth0 provides fast, easy logins with advanced security features as an identity layer across your applications, so you can spend time implementing your core business.

We spend a lot of time on the developer experience, from providing everything through APIs, to implementing integrations and docs for whatever framework you’re using. One of our most popular features is extensibility, which makes it simple to customize the user experience with serverless code, or extend authentication with easy-to-use integrations, what we call “Auth0 Actions.” You will never feel like you are constrained as a developer. 

Tyson: You and Auth0 Labs recently posted this eye opening Tweet.  When I read it, I sat up in my seat.  It’s a really bold vision of what might be as web3 and identity come together.  (It’s early days, but it’s already possible to use a wallet for authentication in Auth0.)

What are the potential benefits of blockchain for auth?  How big do you think this is going to turn out to be for the industry?

Woloski: Crypto wallets and other blockchain technology are yielding fertile ground for conversations around decentralized identity.

Crypto wallets hold private keys, which are used as an authentication mechanism by which you (your wallet, specifically) assures ownership of the corresponding account and its assets. An application can issue a request to your wallet address (public key) that is digitally signed in the wallet itself and returned to the application to prove that this wallet is indeed legitimate. This is a form of authentication.

Using a crypto wallet, people can pseudo-anonymously authenticate themselves as the owners of the account on the blockchain. Could this form of authentication be used for traditional web application scenarios? Absolutely. Will decentralized login catch on in the coming years? We don’t know.

There are more questions than answers with respect to how web3 authentication will impact mainstream applications and businesses, but we certainly aspire to facilitate emerging opportunities.

Tyson: It's really fascinating to think about the convergence of web3 and IAM.  I think token gating may have an impact on authorization also.

Are there any other areas of R&D that you’d like to highlight?

Woloski: The charter of the Auth0 Lab team is to focus on long-term innovation, working 18-24 months ahead of engineering, doing prototypes, research, and strategic corporate development. Our modus operandi is incubation. We are connecting with customer problems and planting the seeds for what we think is going to be the future of identity.

Our main focus for R&D is on potential adjacencies (new products), selling to existing markets (developers). So, for example, fine-grained authorization (FGA) and privacy are areas we’re looking into, which are adjacent to authentication. Similarly, we think about how the product could change to go after a new market, like government.

Right now we’re doing some research around digital credentials and wallets, which is upcoming, but not a mature technology in the industry. In the future, we believe companies will need to support the concept of a credential issued by another party, and the consumer owning their own data. They will have multiple digital credentials issued by different organizations. But they will also need a hub that centralizes their own policies and user data store to solve their use cases (centralized).

We are also exploring web3 technologies and our role in that context. We think we can help bridge the gap between web2 and web3—especially when you think about the account layer, beyond the wallet. We are partnering with multiple web3 companies and adding integrations into our marketplace.

Tyson:  In an interview with CTO Craft, you talk about engineering and mistakes, saying “this is just the nature of building things,” kind of pointing out that mistakes are critical to innovation. Any advice on how to maintain this mindset in the daily work of building when pressures can tend to drive out the willingness to be risky?

Woloski: It’s important to give your team room for experimentation. We do three hackathons per year—each one lasts three days, and 30-plus teams sign up. You get to see all sorts of innovation coming straight from the trenches. Some of the ideas get discarded, but others are implemented or marked for further research, so we can better understand them. The bottom line is, we aim to foster a learning culture.

Tyson: As a person heavily involved in cyber security, what keeps you up at night?  What do you see as the biggest threats now and on the horizon?

Woloski: The fact that we secure billions of login transactions every month globally means that we have a unique perspective into what’s happening with identity-based attacks. What we typically see are breached passwords, credential stuffing, synthetic account creation (also called fraudulent registration), and MFA [multi-factor authentication] bypass as the biggest attacks—all of which we detect and prevent.

Every year we release a report called The State of Secure Identity that analyzes threats using real-world data from the Auth0 platform. Last year’s found that credential stuffing accounted for 16.5% of attempted login traffic on our platform. Credential stuffing attacks have been around for a long time; what’s changing is how cheap and easy they are to do. You can download a list of breached passwords or IP addresses for free. You can run a botnet for an hour for a dollar. This is why we’ve invested in fully-featured attack protection on the security side.

Our goal is that users feel like they almost never have to enter credentials to access their apps. But at the same time make them feel that their applications are trustworthy. For that you need adaptive security that challenges the users only when there’s an anomaly.

Tyson: That is a very interesting high-level look at threats.  Also somewhat chilling how sophisticated and inexpensive crimeware has become.  The idea of adaptive security is enticing as a way to harmonize convenience and security.

Can I ask about the acquisition with Okta?  Do you have advice for startup folks? Help them navigate those waters?

Woloski: Merging two organizations of our size is complex. Leadership is key for aligning on a few decisions right away and moving forward decisively. People will come along, but these processes take time. You have to give room and outlets for people to internalize these processes and deal with the change in a way that works for them.

Tyson: You and Vercel founder Guillermo Rauch are both from Argentina.  I was struck by how similar Guillermo’s experience in Buenos Aires was to mine in the US.  Do you mind talking about the tech scene there and your experience?

Woloski: Buenos Aires has always been a great hub of entrepreneurship and tech. The first Latin American unicorns were created there (MercadoLibre, Despegar, etc) in the 2000s. These days, you see a lot of web3/crypto stuff happening—OpenZeppelin, Decentraland, and other projects were started by Argentinians. There is a combination of talent, resourcefulness, passion, and resilience created by the environment we live in. The effect of that is people who are creative, passionate, and willing to take risks.

Copyright © 2022 IDG Communications, Inc.

Make your voice heard. Share your experience in CSO's Security Priorities Study.