Back to blog|Identity

Okta Alternative 2026: Why Authentik Is the Right Choice for Data-Sovereignty-Minded Companies

May 14, 2026
Timo Wevelsiep
authhost

Okta Alternative 2026: Why Authentik Is the Right Choice for Data-Sovereignty-Minded Companies

Okta is expensive, US-hosted, and breached multiple times. Authentik offers all enterprise features, GDPR-compliant hosting in Germany, and predictable costs.

authhost.de Blog

Content notice: The information in this article was compiled to the best of our knowledge at the time of publication. Technical details, pricing, versions, licensing models and external content are subject to change. Please verify the information independently, especially before making business-critical or security-relevant decisions. This article does not constitute individual professional, legal or tax advice.

Table of Contents

TL;DR – The Key Points in 60 Seconds

  • The per-user pricing trap: Okta costs around USD 20,000 per year in license fees for 100 employees – with implementation, support, and add-ons, the first year adds up to 2 to 3 times that [1][2].
  • The SSO tax: Companies using Okta pay surcharges for "Enterprise SSO" across many SaaS tools in their stack – an often five-figure hidden cost block [4].
  • Vendor risk: Several documented security incidents in three years – in the October 2023 support-system breach, the contact data of all Okta support users was exfiltrated [6].
  • Authentik: Open source (MIT license), all enterprise protocols, modern MFA, actively developed [8][10].
  • Managed via authhost: Open source plus 24/7 operations on German infrastructure – from €34.90/month, unlimited users, GDPR-compliant.

Why an Okta Alternative in the First Place?

Anyone buying Okta today or negotiating a contract renewal runs into four structural problems that are rarely discussed in sales conversations. Each one is manageable on its own – in combination they become a strategic risk.

The cost problem: per-user pricing hits SMBs hard

Okta does not publish full pricing. What is publicly visible: the Starter Suite begins at around USD 6 per user per month, and the Essentials Suite that is common in the mid-market sits at around USD 17 per user per month [1]. For 100 employees, that's USD 20,400 in license costs per year – before anything has been implemented. On top of that come a minimum annual contract and annual billing without a real monthly cancellation option.

The true costs only become visible after signing. Once implementation, support, and add-ons are factored in, the first year runs at roughly 2 to 3 times the pure license cost, according to public data sets from Vendr and CheckThat.ai [2][3]. For 100 users on Essentials, that means around USD 40,000 to 80,000 in total first-year cost. For context: the median Okta annual contract, according to Vendr's verified transaction data, is around USD 43,840 [2].

The SSO tax: how Okta makes every other tool more expensive

The hidden cost driver is called the SSO tax: many SaaS vendors charge a significant surcharge on their standard plans as soon as you want to use "Enterprise SSO" with a third-party provider like Okta. AccessOwl documents surcharges across a wide range, with a typical corridor of 15 to over 100 percent [4].

Example calculation: a mid-sized company with 100 users and around 20 SaaS tools in its stack quickly pays tens of thousands of euros extra per year due to the SSO tax – just so Okta can even connect to the tools. Authentik solves this structurally differently: via the built-in proxy provider and the LDAP outpost, even tools that don't natively support SAML can be protected – without the respective SaaS vendor having to see a more expensive tier.

The breach history: multiple incidents in three years

Anyone buying an identity provider is buying trust. Okta has repeatedly strained exactly that trust in recent years:

  • January 2022: The Lapsus$ group compromised the subprocessor Sitel, which had access to Okta support systems. Around 366 customers were potentially affected [5].
  • October 2023: Attackers used stolen credentials to break into Okta's support system. Okta initially put the impact at "one percent of customers" – support files were accessed for 134 customers, some containing active session tokens, which led to follow-up attacks on 1Password, BeyondTrust, and Cloudflare. Okta later had to admit that, in addition, the names and email addresses of all Okta support users were included in the exfiltrated data set [6].
  • 2024 and beyond: Repeated follow-up incidents and ongoing discussions about session token security [7].

A central identity provider is a highly attractive attack target because it bundles access to thousands of downstream applications. Companies using Okta are buying themselves a single point of failure with a prominent attack surface. With a self-hosted Authentik instance, that risk is spread across many small, independent installations instead of a single, globally visible SaaS.

The CLOUD Act problem for German companies

Even with perfect technology, a regulatory problem remains for German companies: Okta is a US corporation and therefore subject to the US CLOUD Act. The law obliges American companies to grant US authorities access to customer data on request – regardless of where the data is stored. For GDPR-relevant workloads, that is a conflict that a data processing agreement can only paper over. And NIS2 explicitly requires supply chain security measures – a US provider with a documented breach history is an argument against, not for, the choice.

What Does It Really Cost? Total Cost of Ownership Compared

The following table shows the real total costs for a typical mid-sized company with 100 employees. It deliberately distinguishes between pure Okta SaaS, a fully self-operated Authentik (DIY), and Managed Authentik via authhost.

Cost item Okta Essentials (SaaS) Self-Hosted Authentik (DIY) authhost Business (Managed)
License / software ~USD 20,400/year (17 USD × 100 × 12) €0 (open source, MIT) included
Minimum contract annual contract, minimum commitment flexible cancel monthly
Implementation & setup year 1 ~USD 20,000–40,000 50–100 hrs in-house work (≈ €5,000–10,000) included + personal setup call
Server infrastructure – (SaaS) ~€30–60/month included
24/7 monitoring premium support extra in-house effort included
Patch management & CVE response opaque in-house effort included
Backups & disaster recovery in-house effort included
GDPR hosting in Germany complex (US cloud) in-house effort natively in Germany
Data processing agreement (DPA) complex in-house effort included
SSO tax on third-party tools often €5,000–15,000/year avoidable via proxy/LDAP avoidable via proxy/LDAP
Total year 1 ~USD 40,000–80,000 ≈ €11,000–18,000 €1,258.80
Recurring costs from year 2 ~USD 22,000–35,000/year ≈ €4,000–8,000/year €1,258.80/year
Data sovereignty US cloud + CLOUD Act full control full control, DE hosting
Open source / auditable no yes yes

The figures for authhost Business refer to the plan at €104.90/month with annual billing (€1,258.80/year) – unlimited users included. For 100 employees, that works out to roughly €12.59 per user per year. For comparison: Okta Essentials is around USD 204 per user per year – and the per-user logic flips, because with authhost the flat rate stays the same whether the 50th or the 500th user joins.

What the table honestly does not show

It would be dishonest to portray Okta only as "expensive and insecure." Three areas where Okta is genuinely strong:

  • a very large marketplace with thousands of pre-built app integrations,
  • mature customer success programs with a dedicated contact in the top tiers,
  • AI-assisted threat protection in the highest plans.

For highly complex, multinational setups with dozens of specialized integrations, Okta can be the right choice. For German SMBs with 50–1,000 employees, standardized SaaS applications, and clear GDPR and NIS2 requirements, the answer is usually a different one.

Comparison based on publicly available information, as of May 2026. Okta prices in US dollars, authhost prices in euros. Features, prices, and tiers can change at any time – please verify directly with the respective provider. Okta® is a trademark of Okta, Inc. Authentik is open-source software; the project is maintained by Authentik Security, Inc. (USA). authhost is an independent managed hosting provider and is not affiliated with these companies.

Authentik: The Modern Open-Source Alternative

Authentik is an open-source identity provider that launched in 2018 and explicitly positions itself as a more modern alternative to commercial IdPs such as Okta [8]. The project has over 21,000 GitHub stars [10] and is actively developed.

The same protocols as Okta – without license fees

Authentik supports all relevant standards: OAuth 2.0, OpenID Connect, SAML 2.0, LDAP, RADIUS, and SCIM. For SSO across internal and cloud applications, MFA for employees, and centralized user management, Authentik offers the same functional core as Okta – just open source and without a per-user license. The proxy outpost can also secure applications that don't support SSO themselves, and the LDAP outpost connects legacy systems and network devices.

The flow engine: authentication logic without code

The heart of Authentik is the flow system. Instead of rigid configuration screens, you assemble authentication workflows from individual "stages" – identification, password, MFA, consent – and control them dynamically via policies:

  • Access from the corporate network? → Skip 2FA.
  • Login from an unknown IP? → Require a hardware key.
  • New employee? → Automatically assign to the right group.

You configure all of this through the admin UI – no code, no YAML files. This visual flexibility is where Authentik sets itself apart most clearly from classic IdPs.

Modern MFA: passkeys, WebAuthn, hardware keys

Authentik supports the full spectrum of modern multi-factor authentication: TOTP via authenticator apps, WebAuthn and passkeys as phishing-resistant methods, FIDO2 hardware keys such as YubiKey, email OTP, and Duo integration. This lets Authentik meet the authentication requirements that NIS2 demands of regulated companies – without a higher tier becoming necessary.

Open source with reliable governance

Authentik is licensed under the MIT license and can therefore be used freely, including commercially [9]. Behind the project is Authentik Security, Inc., organized as a US public benefit corporation – a structure that legally backs the open-source commitment. The company has committed to never moving features from the open-source version to the enterprise version; the trend goes the other way – Remote Access Control was moved from Enterprise to Open Source in 2025 [9]. For vendor risk assessment, that is an important difference from classic SaaS models.

Authentik vs. Okta: The Feature Comparison

Criterion Okta Authentik (via authhost)
Protocols OAuth2, OIDC, SAML, LDAP, SCIM OAuth2, OIDC, SAML, LDAP, RADIUS, SCIM
Open source / auditable ✓ (MIT license)
Flat price without per-user costs ✗ (per-user pricing) ✓ (flat rate, unlimited users)
Self-hosting / full data control ✗ (pure US cloud)
GDPR hosting in Germany
MFA: TOTP, WebAuthn/passkeys, FIDO2
Application proxy for apps without SSO ➖ (limited)
Remote access gateway (RDP/SSH/VNC)
Visual flow engine
Pre-built app integrations ✓ (very large marketplace) ➖ (smaller catalog, but proxy/LDAP outpost)
AI-assisted threat detection ✓ (in top tiers) ➖ (policies & posture rules)
Vendor lock-in risk high none (export possible any time)

✓ = fully met · ➖ = partial / with limitations · ✗ = not met

Comparison based on publicly available information, as of May 2026. Features and tiers can change at any time. Okta® is a trademark of Okta, Inc.

The Open-Source Alternatives at a Glance

Authentik is not the only open-source identity provider. A brief overview of where the strengths lie:

Tool Technology Sweet spot Limitation
Authentik Python (Django) + Go Modern UI, flow engine, hybrid SMB setups Flexibility comes with complexity
Keycloak Java / Quarkus Enterprise standard, Red Hat backing, multi-realm Steep learning curve, high resource needs
Authelia Go Lean auth proxy for reverse-proxy setups Not a full-fledged IdP
Zitadel Go SaaS-first, multi-tenancy, API-centric More complex self-hosting path
Ory Go (multiple components) Cloud-native, API-first, very granular Multi-part architecture, high entry barrier

For SMBs with a mixed cloud and legacy stack, Authentik best hits the sweet spot between feature scope and operability. If you want the direct comparison: in Authentik vs. Authelia vs. Keycloak we go through the three most-used options in detail, and in Keycloak Alternative for SMBs we show why Keycloak is often overkill for smaller teams.

NIS2 and GDPR: Why Sovereign Identity Management Matters in 2026

For German decision-makers, the question of an Okta alternative is not just a cost question but increasingly a regulatory one.

What NIS2 concretely requires

The NIS2 Directive requires affected companies to implement a bundle of risk-management measures – including explicitly multi-factor authentication or continuous authentication, access control, supply chain security measures, and traceable logging [11]. Cybersecurity thus becomes a management responsibility: it can no longer be fully delegated to a service provider. Centralized, well-documented identity management is exactly one of the building blocks that has to be demonstrated in a NIS2 context.

Why US providers are an audit risk

A US-hosted identity provider with a documented breach history is not a strength in a NIS2 argument but a weakness – both on the "supply chain security" point and on data sovereignty. Authentik, operated as a managed service on German infrastructure, flips that argument around: hosting in Germany, a data processing agreement included, open-source and therefore auditable software, full data control. Compliance responsibility stays with the company – but the technical and organizational basis is in place.

Self-Hosting vs. Managed: The Honest Calculation

Self-hosting saves the license costs – but it isn't free. Anyone running Authentik themselves takes on setup, security updates, database maintenance, backups, monitoring, and TLS certificates. Above all, they take on responsibility for availability: if the identity provider goes down, nobody can access the connected applications anymore. In an emergency, that requires 24/7 readiness that small IT teams can rarely sustain permanently.

authhost is the middle ground. We operate your dedicated Authentik instance as a managed service on infrastructure in Germany – with automatic, pre-tested updates, daily backups, 24/7 monitoring, and German-speaking support from a team that uses Authentik productively in its own stack. You keep full data control and open-source freedom; we take on the operational effort. The feature overview shows what's in every instance.

Migration from Okta to Authentik: The Realistic Path

The good news: a migration is protocol-oriented and therefore plannable with low risk. Because Authentik speaks the same standards as Okta – SAML, OIDC, SCIM – the switch can be carried out step by step and without a hard cut-off date.

  1. Set up Authentik in parallel. The new instance runs alongside Okta without shutting anything down.
  2. Migrate applications app by app. Each application is reconnected individually – typically a few minutes per app.
  3. Sync the user directory via SCIM. User lifecycle management runs through standard provisioning.
  4. Decommission Okta after a successful cut-over. Only when everything is running does the Okta contract end.

Parallel operation is the key: the same application can temporarily be connected to Okta and Authentik, so you can switch over in a controlled way. Realistic timeframe for a mid-sized setup: 1–4 weeks, depending on the number of apps, the MFA setup, and any custom flows. In the Business plan, a personal setup call accompanies the migration; in the Enterprise plan, individual onboarding support is added.

authhost: Managed Authentik on German Infrastructure

authhost operates Authentik as a fully managed service – a dedicated instance, hosting in Germany, GDPR-compliant. Three plans, all with unlimited users:

  • Starter – from €34.90/month: Dedicated Authentik instance, SSO (OIDC, SAML, LDAP, SCIM, RADIUS), MFA, login flows, proxy provider, remote access gateway, 24/7 monitoring, automatic backups & updates, email support (48 h). Recommended up to 250 users.
  • Business – from €104.90/month: Everything in Starter, plus more hardware specs, priority support (4 h SLA), and a personal setup call. Recommended up to 1,000 users.
  • Enterprise – on request: For more than 1,000 users. Dedicated infrastructure, a dedicated contact (2 h SLA), custom onboarding, a 99.99% SLA guarantee, and an on-premise option.

All plans can be canceled monthly, have no setup fee, and include a data processing agreement and automatic backups. Every plan includes a 7-day free trial.

→ View plans & pricing | → Start free trial

Conclusion

Okta was long the obvious choice for identity and access management – and for some multinational corporations it still is. But for German SMBs the math has shifted: per-user pricing, the SSO tax, a breach history, and the CLOUD Act issue make Okta an expensive and regulatorily uncomfortable option in 2026.

Authentik delivers the same core functions open source, without license fees, and with full data control. The only real hurdle is the operational effort – and that is exactly what authhost takes off your hands: Managed Authentik on German infrastructure, GDPR-compliant, with predictable costs from €34.90/month. Anyone looking for a sovereign, future-proof Okta alternative will find it here.

Start Managed Authentik now →

Sources

  1. Okta – Official pricing overview: okta.com
  2. Vendr – Okta pricing & verified transaction data: vendr.com
  3. CheckThat.ai – Okta pricing deep dive: checkthat.ai
  4. AccessOwl – Okta cost & the SSO tax: accessowl.com
  5. Breachsense – Okta Data Breach Case Study (incident history): breachsense.com
  6. InformationWeek – Massive Okta breach 2023: informationweek.com
  7. VentureBeat – What Okta's incidents say about identity security: venturebeat.com
  8. Authentik – Official website & positioning: goauthentik.io
  9. Authentik – Open Source RAC & license commitment: goauthentik.io
  10. Authentik – GitHub repository: github.com
  11. NIS2 Directive (EU) 2022/2555 – risk-management measures (Art. 21): eur-lex.europa.eu

Frequently Asked Questions

Is Authentik really a full-fledged Okta alternative?
For the vast majority of use cases, yes. Authentik supports all relevant protocols (OAuth2, OIDC, SAML 2.0, LDAP, RADIUS, SCIM), modern MFA including passkeys and WebAuthn, an application proxy for apps without native SSO support, and a remote access gateway for RDP, SSH, and VNC. Okta's remaining edge lies in its huge app marketplace and AI-assisted threat detection in its top tiers. For SMBs with standardized applications, both platforms are functionally comparable.
What does Authentik actually cost compared to Okta?
Authentik itself is free as open-source software (MIT license) – costs arise from servers, setup, and operations. A self-hosted Authentik for a typical 100-person setup realistically costs €11,000–18,000 in the first year including in-house effort; Okta Essentials lands between USD 40,000–80,000 in year one depending on implementation. With Managed Authentik via authhost, you pay a flat rate from €34.90/month – with no per-user costs.
How does migration from Okta to Authentik work?
Migration is protocol-oriented and therefore low-risk. Since Authentik uses the same standards (SAML, OIDC, SCIM), applications can be reconnected one by one without shutting Okta down immediately. Typical path: set up Authentik in parallel, migrate apps step by step, sync the user directory via SCIM, and decommission Okta after a successful cut-over. Realistic timeframe: 1–4 weeks depending on the number of apps, MFA setup, and custom flows.
Isn't self-hosting too complex for SMBs?
Authentik is significantly easier to operate than, say, Keycloak, but it remains an IAM solution that needs ongoing maintenance: security updates, backups, monitoring, and ideally 24/7 readiness – because if the identity provider goes down, nobody can access the connected applications anymore. That's exactly why managed services like authhost exist: they take on the operational burden while the customer keeps full data control.
What happens if I want to leave authhost again?
Your complete Authentik configuration runs in a dedicated instance in standardized open-source formats – database, flows, users, policies. If you want to switch, you export your instance and continue running it yourself or move to another provider. There are no proprietary lock-in mechanisms. That is a core sovereignty advantage over a pure SaaS IdP.
Does Authentik meet NIS2 and GDPR requirements?
Authentik provides the technical foundations for NIS2-compliant identity governance: multi-factor authentication, audit logs, strong authentication protocols, and granular permission models. With a managed service like authhost, the organizational aspects that DIY setups often lack are added: hosting in Germany, a data processing agreement included, and a German-speaking point of contact. Compliance responsibility stays with the company – the platform delivers the building blocks.
How secure is Authentik compared to Okta?
Both systems have strengths. Okta has a professional security team and mature protection mechanisms – but also several documented security incidents in three years; in the October 2023 support-system breach, the contact data of all Okta support users was exfiltrated. Authentik is fully auditable as an open-source project. The most important structural advantage: a self-hosted instance is not a central high-value target like a SaaS with tens of thousands of customers – attackers focus on single points of failure with a high multiplier effect.
Which MFA options does Authentik support?
Authentik supports all modern MFA methods: TOTP (authenticator apps), WebAuthn and passkeys as phishing-resistant methods, FIDO2 hardware keys such as YubiKey, email OTP, and Duo integration. This covers the full standard – including the MFA options that some commercial IdPs only make available in higher tiers or as an add-on.
What are the honest weaknesses of Authentik?
Three points deserve a realistic mention. First: the flexibility comes with a degree of complexity – if you only need the most basic SSO functions, a leaner tool may get you there faster. Second: the catalog of pre-built integrations is smaller than Okta's marketplace; exotic enterprise tools sometimes need to be connected manually. Third: there is no managed SaaS from the vendor itself – if you don't want to run your own infrastructure, you need a partner like authhost.
Why Authentik and not Keycloak?
Both are solid open-source IdPs, but they target different sweet spots. Keycloak is the Java veteran with Red Hat backing and a very broad feature set – but with a steep learning curve and high resource requirements. Authentik relies on a modern Python stack, a visual flow engine, and lower infrastructure needs. For highly complex multi-realm enterprise setups, Keycloak is often more pragmatic; for modern SMB setups with a mixed cloud and legacy stack, Authentik is usually the more ergonomic choice. More on this in our Keycloak comparison.
Do I need dedicated hardware for Authentik?
No. Authentik runs as a Docker Compose stack and is frugal: server and worker each need around 300–500 MB RAM at idle per component, and the complete stack of server, worker, and PostgreSQL runs on 2–3 GB RAM. Plan more generously for production loads, but a small server is enough. High-availability multi-node setups scale horizontally. With Managed Authentik via authhost, the infrastructure question goes away entirely.
Which authhost plan is right for my company?
The choice mainly depends on user count and support requirements. Up to roughly 250 users, the Starter plan (from €34.90/month) with 48-hour email support and all core features is usually sufficient. Up to roughly 1,000 users, we recommend the Business plan (from €104.90/month) with a 4-hour SLA, a personal setup call, and higher hardware specs. Above 1,000 users, or for requirements such as a 99.99% SLA guarantee, a dedicated contact with a 2-hour response time, or on-premise deployment, the Enterprise plan is the right choice. Every plan includes a 7-day free trial.

Written by

Timo Wevelsiep

Founder, merkaio

Founder of merkaio. Managed Authentik Identity Hosting. Focus on identity management, SSO and zero trust architecture.

LinkedIn

Custom inquiry or consultation?

For enterprise inquiries, custom configurations or a personal consultation. Send us a short message – we'll get back to you within 24 hours.

Timo Wevelsiep

Your Contact

Timo Wevelsiep

Founder, merkaio

[email protected]

By submitting, you agree to our Privacy Policy.