Skip to main content
Fletcher Heisler
CEO at Authentik Security Inc
View all authors

If your open source project competes with your paid product, you’re doing it wrong

· 7 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.


Earlier this year, an open core project rejected a community contribution because it competed with the enterprise edition. A concern people often raise about monetizing open source is misaligned incentives: why would open core companies make the underlying open source project great when it could cannibalize their paid offering? Open core companies do need paying customers, but offering a substandard free product is hardly going to have people lining up to pay.

We’ve talked about alignment on this blog a lot, because we actually think it’s one of our biggest strengths:

Today I want to talk about philosophical alignment with our customers and community, and how it benefits us all to have an open core and source-available enterprise version together with a culture that prizes transparency. We can collaborate closely with customers and potential customers, and everyone has greater visibility into how we respond to issues. But first, let’s look at when the open core model can fall flat.

Long username? Okta says: no password needed!

· 5 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.


Late last Friday, Okta released a security advisory: accounts with a username of 52 or more characters could authenticate with only the username under some conditions.

From their own description:

"The Bcrypt algorithm was used to generate the cache key where we hash a combined string of userId + username + password."

THIS IS CRAZY!

Bcrypt is a hashing algorithm. The way it is intended to be used is by concatenating a password with a random salt. Concatenating a user ID with a username with a password - this phrase alone should raise the hackles of any security professional - is definitely not a standard usage of Bcrypt.

At best, Bcrypt is a (now not-so-frequently chosen) password hashing algorithm, not a method for generating cache keys by throwing a bunch of user info into one big string. Passwords shouldn't go in cache keys. Public/guessable data like usernames shouldn't go in password hashes. This is more than a weird corner-case vulnerability; this is TERRIBLE security design.

Bcrypt has a maximum input length of 72 bytes. You can probably guess the rest of the issue from here: start with a user ID, then add a username, ...then a password, if there's room left. No room left? Guess we don't need to check if the password matches at all!

Proudly not AI-powered

· 6 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.


We recently updated our list of upcoming Enterprise features to more accurately reflect the requests we’ve been hearing from our customers and community. One of the changes you may notice: we are no longer spending precious cycles on brainstorming ways to inject AI into our product and user experience.

We had briefly considered ways that “AI” and specifically LLMs might enhance our platform, including an AI-based risk assessment option, as you see below on the left in our previous Enterprise features list. On reflection, we realized we could probably get most of the way to the same outcome with some custom expression templates and a few if statements, begging the question of whether it was worth the effort to pursue at all. So on our current website, you'll no longer see that mention of AI.

We did not want to push a feature just for the sake of being able to say we are AI-powered.

Our biennial Public Benefit Company (PBC) report

· 5 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta and Auth0, Ping, and Entra ID. Authentik Security is a public benefit company building on top of the open source project.


As a Public Benefit Company, authentik is dedicated to open source software development and to our community, and to continuously developing, providing, and maintaining secure, stable authentication solutions.

We are pleased to share our first Public Benefit Company (PBC) report with you, our community, our users, our contributors, and everyone who invests their time and effort into open source software for the good of us all.

Read on for details about our chartered commitments, the work we do to support these commitments, and how the results of the report show that we are on the right path.

Public Benefit Companies are a relatively new form of business entity, and are not limited to software companies. Two of the best known PBCs are the clothing brand Patagonia and the ice cream maker Ben & Jerry's. For any PBC the core focus is, of course, providing a benefit to others beyond themselves, as well as operating with transparency, accountability, and purpose.

PBCs (no matter their field or product) must act in the best interests of the community and consciously understand how their actions will affect others. For authentik specifically, we consider our work in the light of benefiting:

  • users and community members who implement and rely on our products
  • individuals or companies who contributed to or invested in authentik
  • the security and stability of broader systems and environments
  • the team members of the company

The benefits to us of being a PBC include attracting like-minded developers with the skills to continuously propel the project forward in the community as well as promoting trust from the community in our ongoing responsibility to the open source project.

In the annual or biennial report, PBCs typically provide a description and explanation of how the benefit company provided a general and/or specific public benefit, as well as which actions and methods they used to deliver and maintain the benefit.

Authentik Security’s stated public benefit purpose is to maintain an open-source platform for the benefit of the public.

Identity: Self-hosted or in the cloud?

· 11 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


In October 2023, Cloudflare announced that they had discovered yet another Okta compromise.

Cloudflare had to warn Okta first and show them how they had been breached via an insecure setup with a third-party service provider. A leading company offering security and identity as a service instead introduced insecurity.

Over the past decade or so, SaaS has become the dominant model for delivering software, and yet, such incidents aren’t surprising. The SaaS business model was supposed to align vendor and customer interests, while the technology allowed rapid updates and improvements. SaaS was supposed to bring an end to throwing software over the wall and letting customers deal with it.

Recently, however, we’ve seen many companies fleeing SaaS providers to build private clouds and run self-hosted software. At Authentik Security, we have seen more and more customers canceling legacy SaaS providers to take back control of their identity needs with our self-hosted solution.

At first glance, it looks like people are going back in time, but self-hosted software has advanced despite the popularity of SaaS and is increasingly likely to beat SaaS options across numerous measures. In this post, I’ll walk through why the industry defaults have changed and why we believe in focusing on a self-hosted product.

Security through transparency

· 8 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and Auth0. Authentik Security is a public benefit company building on top of the open source project.


The XZ backdoor incident spooked a lot of people. Not all PRs are innocent—even from long-standing contributors—and this one would have created a backdoor in a utility included in almost all Linux distributions, had it not been caught.

But “open source = more vulnerable to exploits” is the wrong takeaway—being open source can actually be an advantage for security-focused products.

My first week as CEO at Authentik Security

· 6 min read
Fletcher Heisler
CEO at Authentik Security Inc

authentik is an open source Identity Provider that unifies your identity needs into a single platform, replacing Okta, Active Directory, and auth0. Authentik Security is a public benefit company building on top of the open source project.


Hello world! I'm excited to be joining Authentik Security as CEO. I wanted to take this opportunity to share the experience of my first week with the community and a bit about my background.

At the start of my very first "official" day on the job, I got an overview of the various applications we use from Jens, our founder and CTO. If you have ever been through a company onboarding process, you know that it might take a few days up to a couple weeks to get access to everything, sometimes even longer. In a small and agile startup, that might be as little as a day if you're lucky.