We recently announced the creation of the OCV Public Benefit Company (OPC) entity structure and we’re proud to share we have just launched our first OPBC company Authentik Security with newly minted CTO, Jens Langhammer. Authentik Security builds on the open source project authentik, of which Jens is the creator. When OCV first approached Jens about creating a company around his open source identity management project, his first concern was that it shouldn’t affect the open source version negatively.
“I know how volatile startups can be,” said Jens. “I put so much time into Authentik already, and my biggest question was, ‘What happens if things don’t work out?’ I wanted to make sure that the open source version stays open source and stays alive.” Including the OPBC charter as part of Authentik Security’s articles of incorporation not only protects the current open source code, but it ensures the majority of development stays open source even as the company starts building proprietary features.
“I was very happy when OCV explained the OPBC idea,” said Jens. “In the very first meeting I voiced my concerns, and the reaction from Sid [General Partner] and Betty [COO] was very positive. By the next meeting, we had lawyers confirming we could do a public benefit company.” Under the OCV public benefit charter, a company takes on a legal responsibility to maintain and actively develop a viable, secure open source project in addition to any proprietary code they create. “Since we’ve started socializing the concept around OPBC, the open source founders we have spoken to have all responded enthusiastically,” said Betty Ma, COO at OCV. “The general belief is that the OPBC charter will safeguard the open source project, which will enhance the value of the commercial business.”
There are a lot of benefits to maintaining open source security software. While open source software isn’t inherently more secure than closed-source software, its transparency, community contributions, flexibility, and speed can be a huge advantage. Because users can see how the software operates and how the data is stored, they don’t need to trust the company implicitly. This has become increasingly important after the Okta breach. “Until a few months ago, the best practice was to outsource your authentication system to a third party,” said Sid Sijbrandij, General Partner at OCV. “Then the Okta breach happened and they didn’t tell anyone for months. This changed the world, and I think more people will be interested in self-hosting their authentication.” Open source removes the visibility barrier, and the option to self-host means companies can choose not to entrust their data to a third party. For open core companies, even the proprietary software is source-available. This completely removes the “black box” that non-open core software lives in.
Open core also promotes a level of flexibility that closed-source companies often don’t support. “Okta is used for the corporate side of logging into things. Azure has multiple offerings for internal employees and for its end-users. With authentik, these use cases are streamlined and you can do both,” said Jens. “Since the very first versions, the policy system has been designed to be very flexible and customizable so you can do any validation, extra logic, or customer action you want. This isn’t always possible on other platforms. You can manipulate the software for your needs.”
And the data stays with the user. “You can run authentik yourself. It gives you a lot more flexibility,” said Jens.
Jens started working on authentik when he was 20 years old: “It started as a different project,” said Jens. “The goal was to make a ‘single pane of glass’ control panel for emails, domains, hosting, etc. Twenty-year-old-me quickly realized it wasn’t feasible as a single person.”
The original application, Supervisr, had a single sign-on component that Jens enjoyed working on most, so he pivoted and started authentik. It was his first big open source project, and soon people were contributing to the code, to the documentation, and eventually to the design. Today, authentik has 2.5k stars on GitHub and 103 contributors.
“I didn’t think I would ever be taking on this role,” said Jens. “I suppose I could have gone out and tried to find a company willing to invest but I never did. I was content with it being an open source project.” Now, Jens is excited about this big opportunity, hiring a team, and seeing where things go.
One of the benefits of working with OCV is that founders get paid a salary from the start. This opens up access for more people to become startup founders. Building a company around an open source project and hiring a team means development can happen much faster.
In the near future, Jens hopes to add approve/deny push notifications, login notifications, approvals, and more services-based features to Authentik Security: “One thing I’m looking forward to exploring more is AI/ML opportunities. With a growing number of installs and increasing data, I think it would be interesting to get models that could predict behaviors and do some alerting. Of course, this would be optional for users.”
“There are many things I wanted to do but couldn’t because I didn’t have the time,” said Jens. “I’m excited about the opportunity for people to work full-time on the project. Both the future enterprise and open source versions will benefit.”