Identity and access management is the highest-stakes purchasing decision in enterprise security. Your identity provider is the keystone — every application, every employee, every privileged credential routes through it. When it works correctly and no one notices it, it's invisible infrastructure. When it fails or gets compromised, the blast radius covers your entire organization.
I've deployed and managed IAM infrastructure across multiple organizations at different scales. The tool decision matters, but the operational posture around it matters more. This comparison covers the three options that come up most in current enterprise discussions — and the post-2023 trust landscape that changed how this conversation goes.
The IAM Vendor Landscape in 2026
The identity market went through a meaningful reshuffling after 2021. Okta acquired Auth0 for $6.5 billion, consolidating two of the three major identity platforms under one company. Then Okta had two significant security incidents in 2022 and 2023 that changed how security teams evaluate them.
Simultaneously, Authentik matured from a homelab project into a genuine enterprise contender. The self-hosted identity space grew, driven partly by cost pressure at Okta's per-user pricing and partly by the breach incidents creating appetite for alternatives.
These aren't three options in a mature, stable market. This is a market in active transition.
Okta: Enterprise Standard, Trust Deficit
Okta's strengths are real and well-established. The Okta Integration Network has over 7,000 pre-built integrations, every major SaaS application, every major cloud provider, most enterprise software has a documented Okta connector. Lifecycle management (provisioning and deprovisioning users automatically as HR systems change) works well when configured properly. MFA policy enforcement, adaptive authentication based on device and location signals, and compliance reporting are mature features.
For a large enterprise with hundreds of SaaS applications and thousands of employees, Okta's integration breadth means implementation is usually configuration rather than development. That has real operational value.
The 2022-2023 incidents require honest coverage.
January 2022: The Lapsus$ group published screenshots taken from Okta's internal systems. Okta initially stated the impact was limited and that most customers were not affected. The disclosure was slow, the breach occurred months before it was disclosed.
October 2023: The more damaging incident. A threat actor used stolen credentials to access Okta's customer support case management system. Customers who contact Okta support routinely upload HTTP Archive (HAR) files, browser session recordings that include cookies and session tokens. The attacker accessed these files.
Okta initially disclosed that approximately 1% of customers were affected. Weeks later, after external pressure and further investigation, Okta revised this to state that all customers who had ever contacted Okta support could have had their files accessed. BeyondTrust had detected suspicious activity targeting their Okta environment and notified Okta in early October. Okta took over two weeks to confirm a breach had occurred. 1Password and Cloudflare also reported detecting attacks.
The timeline and communication handling were criticized substantively by security professionals. The initial understatement of scope, the delay in confirming what BeyondTrust had already identified, and the pace of disclosure relative to the sophistication of the actors involved, these were not minor missteps.
What does this mean practically? Okta's core product is authentication infrastructure. The 2023 breach was a breach of support tooling, not the authentication platform itself. But the attacker used stolen support session data to target downstream customers. For security teams, the lesson is that your identity provider's support systems are part of your attack surface.
Okta has made architectural changes since 2023. But trust, once damaged, returns slowly in security relationships.
Auth0: Developer Identity, Okta's Shadow
Auth0 targets a different buyer than Okta. Where Okta's primary customer is the enterprise IT or security team, Auth0's primary customer is the developer building an application that needs authentication.
The product is excellent at that job. Auth0's SDKs for JavaScript, Python, Go, Ruby, Java, Swift, and Kotlin are well-maintained and well-documented. Universal Login (Auth0's hosted login page) is highly customizable without writing a custom auth flow from scratch. The Rules and Actions pipeline lets developers inject logic into the authentication flow, logging, enriching user profiles, enforcing custom policies, without maintaining a full custom auth stack.
The free tier is genuinely useful: 7,500 monthly active users, unlimited logins, social connections (Google, GitHub, Apple, etc.), and basic MFA. For a SaaS startup building its first product, Auth0 free handles early-stage authentication without any cost.
The complication: Auth0 is now Okta. The acquisition was completed in 2021. The platforms are being progressively integrated. Auth0's infrastructure is shared with Okta's. The trust implications of the 2023 Okta breach therefore extend to Auth0, if you're building on Auth0, you're building on Okta's infrastructure and Okta's operational posture.
Auth0 pricing beyond the free tier can escalate quickly. The Professional plan starts at $240/month, and pricing scales by monthly active users in a way that can surprise growing SaaS products. At 50,000 MAUs, you're in enterprise pricing territory.
Authentik: Open Source Identity That Actually Works
Authentik is an open source identity provider. It's not a "close enough" alternative, it implements the actual protocols: SAML 2.0, OAuth2/OIDC, LDAP, RADIUS, and SCIM. Any application that integrates with Okta via these protocols can integrate with Authentik.
The architecture is Django/Python backend with PostgreSQL, deployed via Docker Compose or Kubernetes. The Outpost model handles protocol-specific integrations, a Proxy Outpost provides SSO for applications that don't natively support SAML/OIDC, an LDAP Outpost serves applications that only speak LDAP. This covers legacy enterprise applications that haven't moved to modern auth protocols.
MFA is built in: TOTP (Google Authenticator, Authy), WebAuthn (hardware keys, passkeys), and static tokens. The Flows system. Authentik's method for configuring authentication pipelines, is powerful and genuinely flexible. You can build exactly the login experience your organization needs, with stage-by-stage configuration of prompts, MFA requirements, and policy checks.
The Authentik Enterprise tier (2024 onward) adds commercial support, RBAC, compliance features, and Authentik Cloud (managed hosting) for organizations that want the open source product without the operational burden.
What it takes to run Authentik yourself:
This is where the CISO conversation gets real. Running your own identity provider means:
- ▸You're responsible for availability. If Authentik goes down, nobody authenticates. You need proper HA configuration (multiple instances, load balancing, PostgreSQL HA) or you have a single point of failure that takes down your entire organization.
- ▸You're responsible for patching. Identity infrastructure needs to be current. Falling behind on updates to your IdP is a security problem. You need a process for tracking releases and deploying them promptly.
- ▸You're responsible for backup and recovery. Your Authentik database contains your entire user directory, MFA enrollments, group memberships, and application configurations. Losing it without a tested recovery process is catastrophic.
- ▸You need someone who understands it. Authentik is not complex software, but it's also not zero-maintenance. Someone on your team needs to own it.
For organizations with a dedicated security or infrastructure team, this is manageable. For a 20-person startup without dedicated ops, this is the wrong tool.
Pricing
| Authentik | Auth0 | Okta | |
|---|---|---|---|
| Free tier | Yes (self-hosted, unlimited users) | Yes (7,500 MAUs) | No (trials only) |
| Entry paid | Enterprise support add-on | Professional: $240/month | Custom (per-user pricing) |
| Typical enterprise cost | Hosting + optional support | $0.02-$0.07/MAU/month | $2-$15/user/month |
| Self-hosted | Yes (primary model) | No | No |
| Managed cloud | Authentik Cloud (2024) | Yes | Yes |
| Open source | Yes (AGPL) | No | No |
| Pricing model | Flat hosting cost | Per MAU | Per user/month |
| SSO | Yes | Yes | Yes |
| MFA | Yes | Yes | Yes |
| SAML | Yes | Yes (paid) | Yes |
| OIDC | Yes | Yes | Yes |
| LDAP | Yes | No | Yes |
| Lifecycle management | Basic (SCIM) | Limited | full |
| Compliance reporting | Basic | Limited | full |
The Okta cost for a 500-user organization at mid-tier pricing can run $5,000-$7,500/month. Authentik on a properly configured VPS or small Kubernetes cluster costs $50-150/month in hosting. At scale, the delta is significant.
The Self-Hosted IAM Question
The question I get from CISOs evaluating Authentik is usually framed as: "Is it responsible to self-host our identity provider?"
The honest answer is that it depends on what you're comparing it to, and what your operational maturity is.
The case for self-hosted IAM:
Data sovereignty. In certain regulatory environments, particularly EU organizations under strict data residency requirements, or organizations in regulated industries with specific requirements about where authentication data lives, self-hosted IAM removes the cloud dependency. Your authentication logs, your user directory, your MFA enrollments: all on infrastructure you control.
Cost at scale. At 1,000+ users, Okta's per-user pricing represents a meaningful budget line. Authentik's cost is the hosting plus the engineering time to maintain it. For organizations with infrastructure teams, the math often favors self-hosted above a certain scale.
No vendor supply chain risk. The 2023 Okta incident was a supply chain attack, not against the core auth product, but against the support infrastructure around it. Self-hosted removes the specific vector of "my identity provider's vendor support system was compromised and attackers got my session data." It introduces different risks, but eliminates that specific one.
The case against self-hosted IAM for most organizations:
Availability is hard. Single-instance Authentik with a single PostgreSQL is a single point of failure for your entire authentication system. Getting this right requires HA configuration that most organizations haven't thought through carefully.
Expertise is scarce. The people who can properly configure, monitor, and maintain an identity provider, who understand SAML flows, OAuth token lifetimes, LDAP schema design, and the operational security of the system itself, are not common. If the one person who knows how it works leaves, you have a problem.
Security of the IdP itself. Your identity provider is the highest-value target in your environment. It needs to be secured with the same rigor as any critical system: network segmentation, access control, audit logging, integrity monitoring. Most organizations don't apply this rigor to self-hosted tooling.
Integration breadth. Okta's 7,000 integrations exist because Okta has been doing this for 15 years and has a team dedicated to maintaining them. Authentik has a good integration story for standard-protocol applications. Legacy enterprise software with proprietary auth, or niche SaaS tools that only have Okta connectors, may require custom work.
Feature Comparison
| Authentik | Auth0 | Okta | |
|---|---|---|---|
| SSO (SAML/OIDC) | Yes | Yes | Yes |
| MFA (TOTP/WebAuthn) | Yes | Yes | Yes |
| Passkeys | Yes | Yes | Yes |
| LDAP | Yes (Outpost) | No | Yes |
| RADIUS | Yes | No | Yes |
| SCIM provisioning | Yes | Limited | Yes |
| Lifecycle management | Basic | Limited | full |
| Pre-built integrations | Community-maintained | 500+ | 7,000+ |
| Developer SDKs | Community | Excellent (official) | Good |
| Adaptive MFA | Basic | Yes | Yes |
| Compliance reporting | Basic | Limited | full |
| Audit logs | Yes | Yes | Yes |
| Dedicated support SLA | Enterprise tier | Yes (paid) | Yes |
The Post-Breach Trust Landscape
After the 2023 incident, the right question for any organization evaluating Okta isn't "did they get breached", it's "how did they handle it, and what changed."
Okta disclosed too slowly, initially understated scope, and was alerted to the breach by a customer before their own detection systems flagged it. Those are operational security failures that matter when you're evaluating whether to trust an organization with your authentication infrastructure.
What Okta did subsequently: published a detailed post-incident report, made architectural changes to how customer files are handled in support systems, and committed to more rapid disclosure timelines. Todd McKinnon published a retrospective that was more forthcoming than the initial communications.
Whether this is sufficient is a judgment call. For large enterprises with no realistic alternative to Okta's integration breadth, the answer is often "we continue using Okta with enhanced monitoring of our own authentication systems." For organizations that have the capacity to run Authentik, the 2023 incident moved the self-hosted calculation meaningfully.
Auth0 shares Okta's trust calculus by virtue of the acquisition. If Okta's operational posture is a concern, Auth0's infrastructure is the same infrastructure.
Verdict by Organization Type
Enterprise, 500+ users, complex SaaS stack: Okta. The integration breadth is irreplaceable at scale. Monitor your own auth events independently, don't rely solely on Okta's detection, and treat your Okta support interactions with the same sensitivity you'd apply to any privileged access. The 2023 incident should change your operational posture, not necessarily your vendor choice.
Developer building a SaaS product: Auth0. The SDKs, the Universal Login customization, and the 7,500 MAU free tier are the right starting point for application authentication. Understand that you're building on Okta infrastructure and price in that risk.
Technical organization with infrastructure capacity, 50-500 users: Authentik deserves serious evaluation. The cost savings versus Okta are real, the protocol support is full, and for organizations with dedicated infrastructure teams, the operational burden is manageable. Invest in HA configuration before going to production, document everything, and treat the IdP with the same security rigor you'd apply to your most sensitive systems.
Small team, no dedicated security staff: Auth0 free tier or a simple managed solution. Self-hosted IAM is not the right risk profile for an organization without the capacity to maintain it. Okta or Auth0 managed services are the appropriate choice, accept the vendor risk in exchange for not having to own the operational complexity.
Air-gapped or strict data sovereignty requirements: Authentik is likely your only viable path. The major cloud IdPs don't support on-premises deployments in meaningful ways. Authentik's self-hosted model, combined with the LDAP and SAML support for legacy applications, makes it the practical choice for environments where data residency is a hard requirement.
IAM is the category where the cheapest option is rarely actually cheaper when you account for operational cost and risk. Authentik running on a $50/month server is not free, it carries the cost of whoever maintains it and the organizational risk of whatever happens when something goes wrong. Okta at $7/user/month is not just a SaaS fee, it's buying the operational maturity, integration ecosystem, and vendor accountability that comes with it.
The right choice depends less on feature comparison than on whether your organization has the maturity to safely own what self-hosted IAM requires. Be honest about that before the deployment, not after.