MathJax

Monday, June 2, 2014

PSA: Authentication != Authorization

Unfortunately, it's tempting to abbreviate both authentication and authorization as "auth." This common abbreviation causes people to confuse the two in their minds. I BEG you all to disambiguate as follows:

  • Authentication = AuthN
  • Authorization = AuthZ
(as per common sense and this other site I found)

Non-tech explanation:

Authentication (AuthN) is a means of confirming your identify. A weak real-world example is when a cashier checks your photo ID to match your name and face to the credit card you're using for a large purchase.
Authentication (AuthN) to match the human to the credit card
Authorization (AuthZ) is verifying that you have permission to perform an action. A weak real-world example is when a cashier checks your photo ID to verify you're old enough to legally purchase alcohol.
Authorization (AuthZ) to verify the human may purchase alcohol
By information security standards, our real-world mechanisms are extremely weak.
These are confused all the time because they both start with "auth" and you can use a driver's license to explain both. Really, they're quite different. Here's a non-driver's license example for both:

AuthN: You recognize your significant other's voice before engaging in flirtatious conversation.
Authentication (AuthN) to know you're flirting with your SO, not your parents
AuthZ: You know a secret handshake to get into a club.
Authorization (AuthZ) to grant access to premier plumbing services as a member of the Stonecutters
AuthN: Who am I?
AuthZ: May I?

Call to action for tech people:

Grep your codebase for instances of /auth[^enz]/ and eliminate them. Add a FindBugs rule to weed them out. Call out auth conflation in code reviews. WHEN TAKING NOTES, PERSONALLY ABBREVIATE VIA AUTHN OR AUTHZ, NEVER AUTH.

Also, OAuth is actually OAuthZ. OAUTH is a reference architecture for OAUTHN. Got it?