Instead of “auth”, we should say “permissions” and “login”

&quot;Authorize&quot; and &quot;Authenticate&quot; are excellent words. They go back to medieval times and haven&#x27;t changed meaning too much.<p>Everybody knows what an &quot;authority&quot; is. It means they have power or capability.<p>Everybody knows what authentic means. Something that is proven to be genuine.<p>The difference between the two concepts, as they are used in crypto systems are specific, important to get right, and also inherently intertwined, confusing, and subtle. I&#x27;m skeptical that changing the words would help.<p>It&#x27;s one of the many reasons we have the saying, &quot;Don&#x27;t roll your own crypto.&quot;<p>Trust and verification are just hard problems.

I don&#x27;t really get the point of this post. Yes naming things is hard, but the fact that these two words are similar is actually a good thing, despite laypersons getting them confused, because they are both functionally and implementation-wise closely related. The confusion is not going to be solved with trying to relabel the concepts. The author never actually illustrates the harm caused by this confusion either. My guess is they ran into something like installing a package that didn&#x27;t cover their desired needs, attributed this to the &quot;auth&quot; name and instead of moving on decided to write about it.<p>&gt;&gt; &quot;The canonical solution is to call these &quot;authn&quot; and &quot;authz&quot;, the n and z evoking the longer words.&quot;<p>or we could just use the longer words?

&quot;Identity&quot; and &quot;Access&quot; Management (IAM) is pretty standard terminology.<p>I personally like saying authnz (authentication and authorization mashed together)<p>&quot;Login&quot; doesn&#x27;t really cover token or key based authentication, i.e. service accounts don&#x27;t &quot;log in&quot; but do require authentication and authorization

I like it. The distinction between Authn and Authz isn’t nearly as obviously as login and permission. Sometimes I feel like we enjoy fancy terms more than we enjoy unambiguous terms.

I have worked with auth (:P) systems (IAM) a lot and I have never seen the problem with &quot;auth&quot; meaning both authorization and authentication. When more specificity is needed, just use the right phrase.<p>Using &quot;login&quot; and &quot;permissions&quot; are worse IMO, because they don&#x27;t catch the entire meaning and complexity of these systems. Authentication means way more than login, and permissions mean very specific things for a small portion of an authorization system.

I&#x27;ve never been in a situation where this &quot;confusion&quot; happens (nor in english or spanish, where we use autenticación and autorización), authentication and authorization are standard terminology in all IT and Infosec.<p>I know acronyms and stuff but if it creates confusion just use the damn complete word, I don&#x27;t get why create a problem.

&gt; This terminology implies that the two concepts, authentication and authorization, are more closely related than they are.<p>But they are closely related. You can&#x27;t really have authorization without some form of authentication. Both are tied to some kind of identity. And in some cases, such as SSO, authentication involves authorization from another system.<p>Also, login is not a good replacement for authentication, because there are forms of authentication that don&#x27;t involve logging in at all. And often the act of logging in just exchanges one set of authentication credentials (username and password or equivalent) for another, shorter lived, set (token, cookie, etc.)<p>Finally, one nice property of using authz and authn is that you can use &quot;auth&quot; to mean &quot;authentication <i>and</i> authorization&quot;, since the two often go together.

This sucks... authorization and permissions are <i>not</i> the same thing.<p>Permissions are rights or privileges, which exist independently of their assignment to particular users.<p>Authorization, on the other hand, can have two meanings - both of which relate to _assignment_ of permissions to users (preferably via groups or roles):<p>1. The process of assigning permissions to users, as in &quot;you need to be authorized to do that&quot;.<p>2. The process of confirming whether a user has the necessary permissions to perform some action.<p>The second meaning can also be referred to as access control (or more precisely, runtime access control). It&#x27;s what applications typically do after authenticating users. Hence, if you want an alternative to &quot;authorization&quot; in the runtime verification sense, the term &quot;access control&quot; might be appropriate.<p>On the other hand authN and authZ are perfectly adequate and well-understood.<p>Since the term &quot;authorization&quot; always relates to a (direct or indirect) binding between permissions and users, it makes no sense to use the term &quot;permissions&quot; as a substitute for &quot;authorization&quot;.

Sometimes someone just points out the obvious, and it&#x27;s obviously a good solution. I&#x27;m happy to never use authn or authz again, good riddance.

“authn” and “authz” are sufficient to use between technical people.<p>But using “login” and “permissions” for explaining concepts to general populace is perfectly fine as well.

“Login” implies a state change, which “authentication” doesn’t.<p>“Authorization” can refer to a process, which “permissions” doesn’t.

We carry a physical analog of this in real life: work badge. My policy-enforced visible picture identifies who I am and that I match that photo and also gatekeeps me into and out of places I&#x27;m allowed to enter.<p>&gt; terminology implies that the two concepts, authentication and authorization, are more closely related than they are ... There are some links ... because what you can do is tied to who you are. But they&#x27;re also very different<p>AuthZ being entirely dependent on AuthN is not &quot;some links&quot;. That&#x27;s an unbreakable dependency.<p>I can agree that these two words being a single letter apart are easy to conflate though. But as they are related, we&#x27;re more likely to increase training&#x2F;education around the concept rather than rename them.

I think this only works in limited versions of these auth systems. If that’s what you want, great. Some packages for various languages already exist for this purpose. They’re incomplete auth systems, though.<p>There are more modes of authentication than logging a user into a system or referencing their proof of authentication after login. It’s certainly the most common use case, but authentication can occur using other forms of proof that you’re willing to trust.<p>For example, someone in your system invites people to do something via email. Once these people authenticate by entering a code sent to their email address, you trust that they can access a file based on a cookie you’ve set. However, they are not logged in because they don’t have an account. You would not do this with a login system. You’d do it with an authentication system.

&gt; This is a widespread problem, and it&#x27;s well known. One common solution, using the terms &quot;authn&quot; and &quot;authz&quot;, doesn&#x27;t solve the problem. And this isn&#x27;t just confusing, it leads to bad abstractions and general failures!<p>Well, in written language, authn and authz aren&#x27;t mistakeable. In spoken language, I never heard anyone say authn or authz, but their fully developed versions.<p>And about bad abstractions, I believe that has less to do with bad naming and more to do with the fact that authenticating and permissioning is hard to express, develop and to scale in a secure and reliable way.<p>I think a better use of time is to worry less about how to rename these moving parts and spend more energy studying the pitfalls like the confused deputy problem and how it could apply to your specific domain or use case.

Most places I&#x27;ve worked have standardized on AuthN and AuthZ as shortcuts for Authentication (login) and Authorization (permissions).<p>Do other folks have different experiences?

The problem goes way beyond any singular ecosystem and extends to the most basic standards as well.<p>For me one of the most confusing things about this topic is the use of &quot;Unauthorized&quot; in 402 [1], when the dictionary definition is about not having permission and authority to do an action [2].<p>So in my projects I usually use:<p>- 402 - Unidentified (identification) ou Unauthenticated (Authentic identity)<p>- 403 - Forbidden (permission)<p>[1] <a href="https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;Status&#x2F;401" rel="nofollow">https:&#x2F;&#x2F;developer.mozilla.org&#x2F;en-US&#x2F;docs&#x2F;Web&#x2F;HTTP&#x2F;Status&#x2F;401</a><p>[2] <a href="https:&#x2F;&#x2F;www.merriam-webster.com&#x2F;dictionary&#x2F;unauthorized" rel="nofollow">https:&#x2F;&#x2F;www.merriam-webster.com&#x2F;dictionary&#x2F;unauthorized</a>

&gt; Most computer systems we interact with have an auth system of some kind. The problem is, that sentence is at best unclear and at worst nonsense. &quot;Auth&quot; can mean at least two things: authentication or authorization<p>Yes, that was the point of using auth.

NB Security practitioners typically never say “auth” due to the ambiguity; we typically say “authN” or “authZ” for clarity, or use the actual terms authentication and authorization.

Isn&#x27;t there are rather obvious solution to this &quot;problem&quot;?<p>When we need to be clear, let&#x27;s call authentication and authorization... authentication and authorization.

90% of development and IT is knowing acronyms and abbreviations. The other half is skills.

I prefer AuthN and AuthZ.<p>I don&#x27;t think sharing a prefix&#x2F;root implies that they&#x27;re the same thing.<p>Also, I don&#x27;t think the suggested &quot;permissions&quot; and &quot;login&quot; terminology would work for all AuthN&#x2F;Z schemes. For example, when exactly do you &quot;login&quot; when calling an API with a bearer token? Doesn&#x27;t work for me.

Permissions to me is about setting a policy and authorization is applying that policy.<p>I have never wanted to use them interchangeably.

Agree with the article. The worst offender is probably Oauth providing endless confusion to developers and end users

I lead on the team responsible for auth on our product, and we just go with authN and authZ when we don’t mean both.

Maybe instead of overloading the shorthand with two definitions, it&#x27;s best to just use the actual words.

&quot;Most computer systems we interact with have an auth system of some kind.&quot;<p>The first sentence in the article actually highlights a nice &quot;side effect&quot; of the very thing it complains about. Covering &quot;Authentication&quot; and &quot;Authorization&quot; with a single &quot;auth&quot;. Convenient for those who understand the concepts and don&#x27;t need the distinction. Especially since these terms are strongly related and often come together.

I get what you&#x27;re doing, but the problem is that &quot;login&quot; and &quot;permissions&quot; are ambiguous in the context of Identity Management. For example, &quot;Delete-User&quot; is a permission that defines some &#x27;permitted action&#x27;, but it does not imply &quot;Administrator&quot; role or a set of policies that should be governing access to some resources. So by trying to fix one semantic issue, you&#x27;re introducing a bunch of other ones.

&quot;login&quot; makes the situation of conflating authentication and authorization worse, not better.<p>&quot;Logging in&quot; can mean either authentication, authentication+authorization, or authorization depending on context.<p>Specifically, &quot;logging in&quot; does not need to imply authentication. Example: I &quot;log in&quot; to a public WiFi hotspot using a shared password written on the wall. Yet, there is no authentication taking place.

&quot;Permissions&quot; seem too specific a term to use as a general term. It&#x27;s something I&#x27;d use to describe the specific rights a role may have in role-based access control, and not authorization as a whole. I&#x27;ll stick to authn&#x2F;authz for abbreviations, auth for both or if it&#x27;s not specific, and if it&#x27;s for documentation or cross-department communication I&#x27;ll just write the whole word.

In traditional security training, you learn the &quot;AAAs&quot; of security - authentication, authorization and accounting (and don&#x27;t forget the last one!).<p>It&#x27;s good to have ways to easily capture the meaning of these words, but permissions and login are implementations that fulfill the requirement of the As, not the As themselves.

I do not like it. AAAA is a good abbreviation for the necessary principles authentication, authorization, access and audit.<p>LPAA... Is just not right.

What about auth9n and auth8n? a12n and a11n? To be compliant with the current belt onion for synthesizing obscure techie jargon.

I sympathise with the author wanting to make the meaning of these more obvious, but login is not a good synonym for authentication.<p>Login implies the process of obtaining a session by providing some credentials; this is not the same as authenticating, which can be achieved without requiring a session (e.g. bearer token).<p>I do quite like permissions for authorisation though.

No, we should say &quot;authentication&quot; and &quot;authorization&quot;. I usually shorten the first to &quot;authen.&quot; and the second to &quot;authz.&quot;. I avoid &quot;auth.&quot;, but when I do use it either it&#x27;s clear from context which I mean or I mean <i>both</i>.

Between dev and administration&#x2F;ops work, I spent a couple of decades in the deep end of the tech pool. As we know, it&#x27;s packed with layers of interconnected archaic, arbitrary and confusing terminology. I understand the resistance to renaming things – the cognitive overhead of learning new terms is real. However, when you remove decades-irrelevant technical limitations and contrived entomological justification, the reason for sticking to old, confusing names often boils down to &quot;because I already know it.&quot; Many feel learning it all has earned them this machismo-driven badge-of-nerd-honor, and people advocating for more straightforward terminology are often viewed as weak, lazy, or incompetent. That&#x27;s convenient for us, but hindering future generations and confusing non-technical users has a cost. For a field so focused on progress, this resistance to improving terminology is strange. While I don&#x27;t advocate for constant change, or change for its own sake, we should challenge &quot;because, that&#x27;s the way it&#x27;s always been&quot; as a justification for not making things better.

Don&#x27;t say auth, say authn and authz.

I&#x27;ve always heard &quot;auth&quot; to mean authentication and &quot;perms&quot; to mean authorization.

You know my co-workers who grew up without English never seem to have all these problems. Almost like bored developers have nothing to do, but wave around their thesaurus. This is free speech and a real opinion please respect it to maintain a good discussion.

I use Identify (who claims is coming, it may be used to decide how to authenticate them), Authenticate (make sure that the above matches the user on file) and Authorize (provide to the application a set of stored permissions for the user)

Authentication is when the bouncer checks your drivers license.<p>Authorization is when he lets you in the bar.<p>AuthN can be achieved numerous ways that don’t even closely imply a “login”. The terms we have suffice, it’s the education around them that is sorely lacking.

Auth is what you went for when &quot;cloud&quot; or any number of more widely used ambiguous terms are out there? That said I think dialing back the use of technical terms watered down by the marketing team would be fantastic.

So we are back to the most difficult things in programming: naming things.

No.

Totally agree with this article and I&#x27;ll try to use these words.

Lots of action on this article. I just kind of have this feeling of “how have we survived this long?” about this. It doesn’t seem like that big of a deal.

We do in infra&#x2F;infosec&#x2F;sysadmin. Sounds like a dev that just isn&#x27;t familiar with the territory. That&#x27;s why we have different departments.

No. We have the long &quot;authentication&quot; and &quot;authorization&quot; and the abbreviations &quot;AuthN&quot; and &quot;AuthZ&quot;.

Or use the industry standard AuthN, AuthZ nomenclature?

We need to nail down what authentication and authorization do on a wide scale before we can pin down better naming. I agree with most of this.

Everyone should use the terminology I prefer.

Honestly, Im tired of people telling me how to talk. What if instead of policing language we educate people on the differences between authentication and authorization and best practices for implementation? I think you’re onto the problem, but artificial language enforcement isn’t going to fix it.

I&#x27;m fine with permissions. Heck, it&#x27;s what I already say.<p>Login, no, just no.<p>Login is ambiguous to begin with, is it the action or the user identifier?<p>Login as the process of logging in, the best interpretation, is still pretty limited: authentication is the validation of a much longer chain of events than that. It may start with login, but it lasts for as long as the service accepts to believe such principal is behind such actions.<p>Login as username is IMHO the most common use of the word, and most obviously the wrong one to mean authentication.<p>To make things me interesting, auth already means authentication to me. I accept it can lead to confusion and a better substitute would be welcome.

Ah yes, the good old “the jargon for X is confusing, let’s add more jargon”.

If you think ‘auth’ is confusing in an access management context, wait til you implement a payment system and discover that credit cards have an ‘auth’ process that has nothing to do with your user identity or user permission checks. A credit card auth is not ‘authenticating’ the card holder, or determining if they are ‘authorized’ to charge to a particular card. It is instead the process of <i>being given</i> authorization to capture funds from a payment instrument.

Instead of plural accesses we should say entitlements

So, uh, when my browser checks that the certificate for a site has a DNS SAN that matches the name I used to access it, is the website &quot;logging in&quot; my browser?<p>And does a signed S&#x2F;MIME email &quot;log in&quot; to the MUA that receives it?<p>Authenticate is a perfect good word, let&#x27;s keep using that.

I think it should be “authentication” and “permissions.”<p>There’s pretty much no word in the English language to describe login&#x2F;account creation&#x2F;etc than “authentication.” The word “login” is a poor substitute. There are no good synonyms for “authentication” that encompass all its applications in computer systems.<p>Meanwhile, there are already <i>lots</i> of synonyms used for “permissions.” Given the abundance of these, and the lack of synonyms for “authentication,” choosing “authorization” to describe permissions is, frankly, an asinine decision. It adds unnecessary cognitive overhead for everyone.<p>(That’s not to say there’s no place for, say, Unauthorized responses, etc. Just that we should be calling the topic “permissions” or really anything other than “authorization.”)

Honestly, I never allow people to abbreviate. You have to say &quot;authenticate&quot; (who are you) vs &quot;authorize&quot; (what are you allowed to do).<p>In fact I flag most abbreviations in code, for exactly this reason. We aren&#x27;t charged by the character, spell it out, future you will always thank you.

What about using `sign`? - sign-up - sign-in - sign-out<p>Example <a href="https:&#x2F;&#x2F;radio4000.com&#x2F;sign" rel="nofollow">https:&#x2F;&#x2F;radio4000.com&#x2F;sign</a>

And script, instead of &quot;app&quot;.

&#x27;&quot;Auth&quot; can mean at least two things: authentication or authorization&#x27; - the two words you should be using.

What? No!<p>Being able to &quot;login&quot; <i>is</i> a permission (or can be in some systems). We already have authorization and authentication. They are good words, just don&#x27;t abbreviate them unless you mean both at the same time.

No.

Yes

Nope. On general curmudgeon-y principle. Get off my lawn.

authn, authz for me.

Yeah, no.

This article took some time to think through, reason about and write, likely with years of experience as a prerequisite.<p>Some articles&#x2F;proposals like this are beyond what current AI could offer, but it’s interesting to see which ones.<p>Asking Gpt4o, it gives:<p>Authentication: Verify Authenticate Login<p>Authorization: Authorize Permission Access<p>So in this case, it was able to offer the same suggestions as the author as well as some of those from the comments below.