Matias Woloski is co-founder of Auth0, a leading innovator in identity and access management (IAM).\u00a0 He currently acts as its CTO, a role to which brings a forward-looking dynamism.Auth0 is a cloud identity platform that helps developers deal with authentication and authorization.\u00a0 It was founded in 2013 by Woloski (CTO) and Eugenio Pace (CEO) via remote partnership while Woloski lived in Argentina and Pace in the US.\u00a0 It was acquired by Okta in May of 2021 for $6.5B.\u00a0The Okta-Auth0 partnership brought together the enterprise mastery of Okta with the developer-first services of Auth0, making for a cybersecurity juggernaut.\u00a0 As part of Okta, Auth0 has continued to improve core features for developers and at the same time throw a spotlight onto coming innovations in the space including web3 technology.I had a chance to talk with Woloski about Auth0\u2019s ongoing research into areas like fine-grained authorization, the impact of web3, major cybersecurity threats, and nurturing innovation in a large organization.Matthew Tyson: Auth0 has been remarkably successful in helping developers deal with authentication and authorization.\u00a0 From my perspective as a developer, Auth0 is compelling because it gives me three things: a remote API to integrate with, in-code tools to make the integration more painless, and a web dashboard for management of the IAM data.How would you describe Auth0 in the broadest sense?\u00a0 Where does it fit into the developer\u2019s landscape?Matias Woloski: Think about Auth0 like an authentication and authorization microservice, built by a team of hundreds of developers, with all the features you would normally have to build yourself. Auth0 provides fast, easy logins with advanced security features as an identity layer across your applications, so you can spend time implementing your core business.We spend a lot of time on the developer experience, from providing everything through APIs, to implementing integrations and docs for whatever framework you\u2019re using. One of our most popular features is extensibility, which makes it simple to customize the user experience with serverless code, or extend authentication with easy-to-use integrations, what we call \u201cAuth0 Actions.\u201d You will never feel like you are constrained as a developer.\u00a0Tyson: You and Auth0 Labs recently posted this eye opening Tweet.\u00a0 When I read it, I sat up in my seat.\u00a0 It\u2019s a really bold vision of what might be as web3 and identity come together.\u00a0 (It\u2019s early days, but it\u2019s already possible to use a wallet for authentication in Auth0.)What are the potential benefits of blockchain for auth?\u00a0 How big do you think this is going to turn out to be for the industry?Woloski: Crypto wallets and other blockchain technology are yielding fertile ground for conversations around decentralized identity.Crypto wallets hold private keys, which are used as an authentication mechanism by which you (your wallet, specifically) assures ownership of the corresponding account and its assets. An application can issue a request to your wallet address (public key) that is digitally signed in the wallet itself and returned to the application to prove that this wallet is indeed legitimate. This is a form of authentication.Using a crypto wallet, people can pseudo-anonymously authenticate themselves as the owners of the account on the blockchain. Could this form of authentication be used for traditional web application scenarios? Absolutely. Will decentralized login catch on in the coming years? We don\u2019t know.There are more questions than answers with respect to how web3 authentication will impact mainstream applications and businesses, but we certainly aspire to facilitate emerging opportunities.Tyson: It's really fascinating to think about the convergence of web3 and IAM.\u00a0 I think token gating may have an impact on authorization also.Are there any other areas of R&D that you\u2019d like to highlight?Woloski: The charter of the Auth0 Lab team is to focus on long-term innovation, working 18-24 months ahead of engineering, doing prototypes, research, and strategic corporate development. Our modus operandi is incubation. We are connecting with customer problems and planting the seeds for what we think is going to be the future of identity.Our main focus for R&D is on potential adjacencies (new products), selling to existing markets (developers). So, for example, fine-grained authorization (FGA) and privacy are areas we\u2019re looking into, which are adjacent to authentication. Similarly, we think about how the product could change to go after a new market, like government.Right now we\u2019re doing some research around digital credentials and wallets, which is upcoming, but not a mature technology in the industry. In the future, we believe companies will need to support the concept of a credential issued by another party, and the consumer owning their own data. They will have multiple digital credentials issued by different organizations. But they will also need a hub that centralizes their own policies and user data store to solve their use cases (centralized).We are also exploring web3 technologies and our role in that context. We think we can help bridge the gap between web2 and web3\u2014especially when you think about the account layer, beyond the wallet. We are partnering with multiple web3 companies and adding integrations into our marketplace.Tyson:\u00a0 In an interview with CTO Craft, you talk about engineering and mistakes, saying \u201cthis is just the nature of building things,\u201d kind of pointing out that mistakes are critical to innovation. Any advice on how to maintain this mindset in the daily work of building when pressures can tend to drive out the willingness to be risky?Woloski: It\u2019s important to give your team room for experimentation. We do three hackathons per year\u2014each one lasts three days, and 30-plus teams sign up. You get to see all sorts of innovation coming straight from the trenches. Some of the ideas get discarded, but others are implemented or marked for further research, so we can better understand them. The bottom line is, we aim to foster a learning culture.Tyson: As a person heavily involved in cyber security, what keeps you up at night?\u00a0 What do you see as the biggest threats now and on the horizon?Woloski: The fact that we secure billions of login transactions every month globally means that we have a unique perspective into what\u2019s happening with identity-based attacks. What we typically see are breached passwords, credential stuffing, synthetic account creation (also called fraudulent registration), and MFA [multi-factor authentication] bypass as the biggest attacks\u2014all of which we detect and prevent.Every year we release a report called The State of Secure Identity that analyzes threats using real-world data from the Auth0 platform. Last year\u2019s found that credential stuffing accounted for 16.5% of attempted login traffic on our platform. Credential stuffing attacks have been around for a long time; what\u2019s changing is how cheap and easy they are to do. You can download a list of breached passwords or IP addresses for free. You can run a botnet for an hour for a dollar. This is why we\u2019ve invested in fully-featured attack protection on the security side.Our goal is that users feel like they almost never have to enter credentials to access their apps. But at the same time make them feel that their applications are trustworthy. For that you need adaptive security that challenges the users only when there\u2019s an anomaly.Tyson: That is a very interesting high-level look at threats.\u00a0 Also somewhat chilling how sophisticated and inexpensive crimeware has become.\u00a0 The idea of adaptive security is enticing as a way to harmonize convenience and security.Can I ask about the acquisition with Okta?\u00a0 Do you have advice for startup folks? Help them navigate those waters?Woloski: Merging two organizations of our size is complex. Leadership is key for aligning on a few decisions right away and moving forward decisively. People will come along, but these processes take time. You have to give room and outlets for people to internalize these processes and deal with the change in a way that works for them.Tyson: You and Vercel founder Guillermo Rauch are both from Argentina.\u00a0 I was struck by how similar Guillermo\u2019s experience in Buenos Aires was to mine in the US.\u00a0 Do you mind talking about the tech scene there and your experience?Woloski: Buenos Aires has always been a great hub of entrepreneurship and tech. The first Latin American unicorns were created there (MercadoLibre, Despegar, etc) in the 2000s. These days, you see a lot of web3\/crypto stuff happening\u2014OpenZeppelin, Decentraland, and other projects were started by Argentinians. There is a combination of talent, resourcefulness, passion, and resilience created by the environment we live in. The effect of that is people who are creative, passionate, and willing to take risks.