"Authorize" and "Authenticate" are excellent words. They go back to medieval times and haven't changed meaning too much.
Everybody knows what an "authority" is. It means they have power or capability.
Everybody knows what authentic means. Something that is proven to be genuine.
The difference between the two concepts, as they are used in crypto systems are specific, important to get right, and also inherently intertwined, confusing, and subtle. I'm skeptical that changing the words would help.
It's one of the many reasons we have the saying, "Don't roll your own crypto."
Trust and verification are just hard problems.
Auth means authentication or authorization? that's the dilemma
The industry has used “authz” and “authn” to disambiguate for decades.
I’ve been working in this industry for decades and this is the first time I made that connection…
you're not alone.
I can second GP.
I have always heard and used authz and authn (pronounced auth-z and auth-n). Bare "auth" typically was used to mean both, but IAM was more clear for that in specific contexts. E.G. you might say someone "authed" to indicate both authentication and authorization, and you might have an IAM team that handles both authentication and authorization.
FWIW, I lead an IAM team.
The distinction was already present in Apache2 configs in early 2000's, although there authentication was "auth", and "authorisation" was authz.
Real travesty came from OAuth. A system designed to handle authorisation was named after the term for authentication.
How are those pronounced?
You pronounce the last letter as a second syllable: authn is "auth-in" and authz is "auth-zee" (probably "auth-zed" in non-American English).
I've seen https://en.wikipedia.org/wiki/AAA_(computer_security) because authentication, authorization, and accounting (audit trails) need to go together so often. What you're allowed to do is sort of meaningless if we don't actually know who you are and what else you've done.
One type and you have a problem.
Maybe it's better to use less similar words if it's security related.
AuthN and AuthZ are appropriate and succinct ways to express the concerns when brevity is required
So one wrong letter or wrong auto complete and we have the wrong meaning.
In security, anything that is less prone to error is good, so words that are hard to confuse or misspell are good.
Why would you type the wrong letter when you mean the other one? Authentication means proving what something says it is, authorization is allowing someone to do something.
The concepts are different so it's not like a dial you are turning to make a measurement, the terms are for different domains
While I also agree that authn or authz are perfectly clear,
Really? Ignorance, laziness, rushing, fatigue, simple mistakes, etc.
What I think is worse is more letters doesn't save you. I've had some conversations where it has gone like 2–3 round trips before the other end realizes that "not" means not, and they mean … the other way.
yes but it's also even more important to be precise and correct which login/permission fail to be
login is at best defined as authorization + authentication
but things which are in general referred to as login but only provide authorization are not that rare (e.g. you pass a token to a client)
and logins which to provide authentication but not authorization exist to (but are rare and you probably could always nitpick them out of existence)
Similar the term permission is hugely overloaded due to it's wide usage in more causal most times end user facing documentation. Most times permissions are used in a more generic context, like a user having the permission to do something vs. a request made by a user being authorized to do something.
I mean in the end there is no reason not to use login/permission for end-user facing documentations, causal conversations etc. This terms are "good enough" most times. But if you provide a login library or technical documentation for APIs with complex interactions between authentication and authorization then using login/permission just won't cut it.
Also for AuthN,AuthZ there is no point to use auto completion and there is very very little chance to mistype them as long as you don't confused them. Luckily this kind of mistakes do not fall under the patterns dyslexia causes (especially if you do the capitalization).
Sure, so why would we replace the two words that have correct meaning when the real problem is laziness?
We now have autocomplete that could choose the wrong word.
We've had autocomplete that could choose the wrong word for over a decade. And?
Identity and permission are often closely related, and usually auth means both. If we replaced auth with permissions and login, I suspect we would still encapsulate the same overarching concept with one of those two words anyway. E.g. use the login module to add permissions to a user or use the permissions module to authenticate.
Having two almost identical terms that mean completely different things is not a very good idea. Also here you are explaining what the words mean, when "login" and "permission" are immediately obvious. Most people don't speak english natively either.
I don’t really consider making an API call as “logging in”. The term sounds really out of place other than in a few specific contexts.
The term “Identify” is a lot better in this regard.
It’s already universally used in IAM, where the other half of the puzzle is also clear and free from ambiguity: “Access”.
Access doesn’t cover everything though. But identify seems good
I think they mean use both - identity in place of login/authenticate and access in place of auth
Identity/identify may or may not have anything to do with Login, or Authentication...
KYC (know your customer) are about removing the ambiguity between you user and their identity....
Identification and authentication are different, though. You identify yourself to a website as a specific user (e.g. using a username) and the website in turn authenticates your claim, i.e. verifies that you are in fact the user you claim to be (e.g. using that user's password).
And the third half, “management” verbalizes the action therein.
Also, IAM has a cryptic assertion of ultimate authority: In Hebrew, . . . hayah carries the added weight of representing God himself: Yahweh, “I am.” [0]
https://hebraicthought.org/meaning-of-gods-name-i-am-exodus/
Indeed. "Logging in" implies some kind of long lasting session. And logging in conceptually only requires "identification" (e.g. via a username) but not necessarily "authentication" (e.g. via a password)
Identification is not necessarily via a username, people can identify you via just knowing how you look or your voice, the method doesn't matter.
IMO…
To “log in” is to convert the username/password pair (or API key, or whatever) into a smaller token with an expiration. Doesn’t matter of it’s put in a cookie in my browser, held in memory by some other API client, etc.
Aside: Why bother even doing that? Because every time you transmit the credential, there’s the possibility of leaking. We would rather leak the token that has an expiration.
I don’t think they are almost identical, they just have the same prefix. “Login” and “permission” each have the same problem: “login” is very similar to “logging”, and “permission” shares a prefix with “persistence” (or permanent). Ultimately software engineering is a broad enough field that we will necessarily have to use similar words to describe the many, many concepts
The issue is that they have the same prefix AND that unfortunately this prefix is used to abbreviate both words.
What does the "auth" module ?
We shouldn't use that abbreviation, then.
But authentication and authorization are often used in the same context where confusion is lethal.
The wild thing is that they’re apparently from different etymologies. “Authorization” comes from “auctor” in Latin, meaning “leader” or “author”, whereas “authentication” originally comes from the Greek “auto” meaning “self”. There probably was some cross influence that brought them into line though.
what's the difference between login and logon?
That's because they share the same root auto-, i.e. "self". Because they're related concepts...
Especially non-native English speakers, right.
well either they know the language to some functional degree, or they dont.
The Spanish words are very similar to the English ones:
- Autorización : Authorization
- Autenticación : Authentication
- Autoridad : Authority
- Auténtico : Authentic
I would guess that in other romance languages, they are also similar to the English version.
"Log In", on the other hand, only makes sense in English. If you tell someone "Estoy registrando adentro" they will be dumbfounded.
It's not that simple for non-native English speakers, not everyone works in an international team so English is being used on a technical level and you basically have to memorize what those words mean if they dont have similar sounding equivalent in your native language. And there people mess it up or simplify the terms by combining them and it doesn't make sense. And you wouldn't use your native language equivalents because docs are usually in English and we code naming things in English. Using those dumber terms would be much more straightforward for everyone.
Hum... I imagine you mean people without any Latine inheritance in their culture. Those words are very good words on way more languages than English.
Those words are also shared with other domains, where they have compatible meanings, and that intersect the usage in computer systems. So you'd better fix them there too.
Besides "permission" is not a verb, and "login" is one between a lot of different ways to authenticate people. What do you intend to do with the correct meaning of those words once you overload them?
Saw the headline, found your comment within two seconds, exhaled with relief.
Every time a cohesive pair of words is redefined, a new JS framework is born.
Yeah me too, but then I actually read the (very short) article, which immediately addresses that and not much else.
Better title would be 'instead of authz & authn ...' to make that clear, because it does just sound like they haven't heard of the concept at first.
And yet a lot of the devs I work with (I'd even go a say most) can't really explain to you the difference between both concepts and use "auth" as a blanket keyword ; which that word allows since it has the same root.
I think that proposal isn't bad because it makes a distinction using simpler words. I'd also prefer for people to learn that simple difference, but that's what we get.
Some time ago authentication was shortened to authn and authorization was shortened to authz. If I had to guess that was to aid people who had to write those words a lot. In that aid, I think they've somewhat lost meaning and just became generalized as "auth". People generally do know there are two steps to auth, are aware of the standards, but when asked to put it in words struggle because of some lexical convergence.
An analog to this is when I first stumbled upon words like a11y and i18n I had no idea what they meant. Now that I've actually had to deal with internationalization systems and accessibility systems I know very much what they mean, but similar to "auth" they're an umbrella invoking a large number of systems that can all function differently.
over many years, I've noticed how it's all about differences that get more subtle and precise on every field. I think this specially after watching this the introduction of https://www.youtube.com/watch?v=OMaYFUm8kQQ
this is specially complicated in fields with long histories. I've got an example that may only make sense in both english and spanish: fats, oils, gases/gasolines (grasas, aceites... gasolinas, petroleo)
other subtelties fresh on my mind today:
proposition vs axiom
argument vs parameter
(common) case law vs civil law
I could see an argument for using the less precise terminology for user facing error messages, but certainly not on the technical side.
Think you’re giving ‘Everybody’ a bit too much credit.
Our current implementations are like this. I'm not convinced this is inherent complexity, though.
It seems like almost all the complexity stems from people trying to create hooks to monetize all the pieces of the process.
Security and usability feel like a second and distant third in importance.
Yeah but it's hard to understand unless doing a lot with auth. Indeed "don't roll you own crypto" but you don't need a PhD in Mathematics to roll you own auth. Sometimes it's necessary and even if not, it's good to know what could need work.