Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security The Internet

Instead of 'Auth,' We Should Say 'Permissions' and 'Login' (ntietz.com) 101

The term "auth" is ambiguous, often meaning either authentication (authn) or authorization (authz), which leads to confusion and poor system design. Instead, Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh, argues that the industry adopt the terms "login" for authentication and "permissions" for authorization, as these are clearer and help maintain distinct, appropriate abstractions for each concept. From their blog post: We should always use the most clear terms we have. Sometimes there's not a great option, but here, we have wonderfully clear terms. Those are "login" for authentication and "permissions" for authorization. Both are terms that will make sense with little explanation (in contrast to "authn" and "authz", which are confusing on first encounter) since almost everyone has logged into a system and has run into permissions issues. There are two ways to use "login" here: the noun and the verb form. The noun form is "login", which refers to the information you enter to gain access to the system. And the verb form is "log in", which refers to the action of entering your login to use the system. "Permissions" is just the noun form. To use a verb, you would use "check permissions." While this is long, it's also just... fine? It hasn't been an issue in my experience.

Both of these are abundantly clear even to our peers in disciplines outside software engineering. This to me makes it worth using them from a clarity perspective alone. But then we have the big benefit to abstractions, as well. When we call both by the same word, there's often an urge to combine them into a single module just by dint of the terminology. This isn't necessarily wrong -- there is certainly some merit to put them together, since permissions typically require a login. But it's not necessary, either, and our designs will be stronger if we don't make that assumption and instead make a reasoned choice.

This discussion has been archived. No new comments can be posted.

Instead of 'Auth,' We Should Say 'Permissions' and 'Login'

Comments Filter:
  • Or, here's an idea (Score:5, Insightful)

    by 93 Escort Wagon ( 326346 ) on Tuesday May 28, 2024 @07:15PM (#64506635)

    The problem isn't the words, it's the shorthand - so how about simply not saying "auth"? If you mean authorization, say "authorization". If you mean authentication, say "authentication".

    I mean, if we introduce the term "permissions" then it's simply a matter of time before the "auth" people start saying "perms"... and now we've created new confusing ambiguity between permissions, permitting, and hair styling.

    • This was solved like 20 years ago with authn and authz and holy shit, that is even in the fucking summary. So now we need to listen to some moron say login and permissions? Do we need to reinvent local vs federated authn, do we need to reinvent oauth and, while at it, rename consent to privileged entity obedience or some shit?
      • by klipclop ( 6724090 ) on Tuesday May 28, 2024 @09:06PM (#64506815)
        They probably work for a fancy consultant and were paid big bucks to come up with that suggestion. Lol
      • by gweihir ( 88907 )

        Indeed. Incidentally, "authorisation" does not even mean "permissions". It does mean deciding whether a specific access is allowed. That can be much simpler and much more complex than "permissions".

      • We don't need to do anything. It's just a random article but a random person. People should stop feeling pressure to act just because someone, usually a self-proclaimed or, these days, self-righteous expert tells them to change. Some ideas deserve attention. Most of them don't. Move on. Nothing to see here.

        • Go look at the normal submission system. This story isn't there.

          design. Instead, Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh

          See this isn't a story. It's SEO. The confusion between various IAAA components is a well known thing, this guy just pulled a topic out of his hat so he'd have something to attach his name to.

    • I've always just said "Authentication" or "Authorization" depending on what I meant, almost never would I use the shorthand Auth... I don't see any point in replacing those excellent words which work well.

      "Login" also seems like slightly less clear a word.

      • Re: (Score:2, Interesting)

        by nuggz ( 69912 )

        I agree with renaming for clarity.

        However I really only care about authorization, of which authentication is a necessary precondition anyway. Most of the time at least.

        • We already have a standard for shortening long names. Thus

          * a13n replaces 'authorization', and
          * a14n replaces 'authentication'.

          both of these are 1 char shorter than authz / authn, so it should greatly simply things.

      • "Login" also seems like slightly less clear a word.

        It also means something slightly different than "authorization" or "authentication." Use the words that mean what you mean.

    • by Anonymous Coward

      If you're dealing with someone who can't tell what you mean then perhaps you shouldn't hire them.

      Jargon exists for a reason.

      Nicole Tietz-Sokolskaya, a software engineer at AI market research platform Remesh

      How about you use the terms that existed long before some marketing droid came up with your entire field? You wouldn't go to work in a pharmacy and then demand they stop using all those Latin abbreviations.

    • Yeah, they're too long. I suggest shortening login to log, and permissions to mission.

    • If I were that girl's boss, I would be questioning my decision to hire her. She sounds like a new high school graduate who thinks she has stumbled upon an important topic that all of us career programmers have somehow never considered, but she never had a programming class.

      We really shouldn't have to be having this conversation, as the solution is exactly what you pointed out: don't use shorthand where the meaning of the shorthand isn't clear. This is covered on the first day of any competent programming cl

      • And yet we are having this conversation and this means that someone of the "career programmers" forgot what he learned "on the first day of his competent programming class" and now is butt hurt that the newbie not only a) noticed it but also b) suggested a quick win with words that aren't longer than the maybe unclear shorthand terms.

        • No. I'm annoyed that yet another newbie has inflated a simple, non-issue into the status of dramatic problem. It might even be an LLM told to pick some random facet of computer security and pretend like it's a problem.

          • Well, however small the issue is, I don't think a blog or social media post is "dramatic". Especially if a fix is proposed that basically free.

            It becomes dramatic when people get annoyed because they can't handle ideas for improvements, especially for small obvious stuff that they missed.

            My idea: take all the drama out by just saying: "Ahh yes. I'll keep it in mind".

            • This was already a solved problem and the author goes out of his way to address the solutions as being inadequate while offering a solution that is itself inadequate.

              Authn and authz have a clear meaning to anyone who needs to know what they mean, they can be collectively referred to as "auth" which is fine too. If you don't know the distinction then you shouldn't be messing with permissions.

              Login and permissions has its own issues because login is ambiguous with the closely related term that the au

            • Comment removed based on user account deletion
        • by DarkOx ( 621550 )

          contextualize the problem there. There really is one (1) case initial signon where authorization and authentication may be occurring simultaneously and in that case there is really only one decision being made too, which is, is the subject authorized to continue authenticating. After that point everything really is unambiguously either an authorization or an authentication decision.

          Even if you are talking about something like a message or a token - you are going to Authenticate the message, then make an a

          • In other words: You don't want any improvements because you have arranged yourself with the problem and mitigated it.

            • I tease DarkOx regularly and he's arguably right. Uh this time he's right.

              I don't know why anyone is defending the author with their unsupported claims that authn and authz are too confusing when with their next breath he says that we should replace authn with "login" as if that doesn't have its own ambiguities revolving around Identity and Authentication.

              Well now that we've cleared that up if DarkOx wants to tell us about appeasing Russia or banning abortions... well I'll be right here.

      • by hawk ( 1151 )

        >If I were that girl's boss, I would be questioning my decision to hire her.

        but . . . but . . . this is the most important technology terminology breakthrough since banning the "master slave flipflop" !

    • I definitely remember we had this discussion almost 30 years ago when we were discussing apache module namespaces.

      Good to see it is still an unsolved issue.

      I have a very original idea, how about we borrow the I18N scheme - use the number of letters between first and last, so we get - A12N and A11N? Much better, eh? :)))

    • by AmiMoJo ( 196126 )

      The issue is having two very similar sounding and looking words in the same domain.

      Permitting is I think some American thing to do with building regulation, and a perm is a hair treatment process, so neither are likely to conflict in the computer security space.

    • by gweihir ( 88907 )

      Indeed. That is what I do in my security lectures after explaining the potential for misunderstanding. Solves the problem nicely.

      Incidentally, "login" is somewhat orthogonal to "authentication". You can, for example, have login without authentication. Yes, this is a border-case, but it does exist. Anonymous login is a thing, e.g. in FTP. You can also have authentication without login, for example, when a document gets authenticated with a signature or for a more technical example when a DNS response packet

      • I would argue that anonymous FTP is still "authentication". You've presented an identity ("anonymous"), and the necessary credentials to verify that identity (none). Saying it's not authentication is like saying zero isn't a number, or an empty list isn't a list.

        • by gweihir ( 88907 )

          Anonymous FTP uses "identification", but there is no proof of that claimed identity, the claim is accepted without further proof. Hence it cannot be authentication.

    • That is why, when we say auth, we mean both authentication and authorization because they should go hand in hand, if you separate them then they become different concepts that are implemented separately.

      The author of this dumb blog post doesnâ(TM)t understand the fact that professionals understand what needs to be done and use short hand inside the biz.

    • by Spazmania ( 174582 ) on Wednesday May 29, 2024 @09:02AM (#64507591) Homepage

      The industry has already adopted alternative terms: identity and access management (IAM). And unlike "permissions" and "login" these terms accurately represent the scope of the authentication and authorization components.

    • by Anonymous Coward

      At the risk of being pedantic, authentication is a mechanism that allows someone to assume the role of a specific user or context. Authorization is what hands that specific role or context permissions to do stuff, if anything.

      A lot of words can be mixed up and it make some sense. Permissions, and rights, for example. ACEs can even be used, but ACEs can be used to deny.

      Then, there is the age-old thing. In Windows, it is "logon", in UNIX, it is "login". Other places, it is username or userid.

      I can see so

    • by tlhIngan ( 30335 )

      The problem isn't the words, it's the shorthand - so how about simply not saying "auth"? If you mean authorization, say "authorization". If you mean authentication, say "authentication".

      Because people are lazy. That's a lot of letters to type. It's why we had oddball shorthand like i18n - because typing out internationalization is just too much.

      authorization is 13 letters
      authentication is 14 letters

      Maybe we can just call it a13 and a14 ?

    • by mjwx ( 966435 )

      The problem isn't the words, it's the shorthand - so how about simply not saying "auth"? If you mean authorization, say "authorization". If you mean authentication, say "authentication".

      I mean, if we introduce the term "permissions" then it's simply a matter of time before the "auth" people start saying "perms"... and now we've created new confusing ambiguity between permissions, permitting, and hair styling.

      Don't we already use "permissions" and "login" to talk "computer" with laypersons?

      When it comes to shorthand, typically you're using it with people who will understand how the word is being used in context, so people will know if "auth" is "authentication" or "authorisation". I.E. I've just got the auth to make the changes to the auth system. Keep in mind I'd never say that as I'd sound like a total knob.

      Sounds like a bunch of marketing people who have nothing better to do... and will soon be out of a

  • At least the American Automobile Association will be happy to get their acronym back.
  • No. (Score:5, Interesting)

    by Local ID10T ( 790134 ) <ID10T.L.USER@gmail.com> on Tuesday May 28, 2024 @07:29PM (#64506671) Homepage

    The terms Authorization and Authentication are not ambiguous.

    This is a contrived problem. If you are not clear which you mean, don't use shorthand.

    • by dgatwood ( 11270 )

      The terms Authorization and Authentication are not ambiguous.

      This is a contrived problem. If you are not clear which you mean, don't use shorthand.

      I would go one step farther, and say that if I say "auth", I likely mean both. I can't even think of an example of authorization that doesn't require some prior authentication of the sender. And most authentication is for the purposes of authorizing something.

      So to me, this is like arguing that you shouldn't say "quarter" when you mean "heads" or "tails". They're two sides of the same coin.

    • The terms Authorization and Authentication are not ambiguous.

      The article doesn't say they are. They say it shouldn't be shortened to "auth" which is ambiguous. To be fair I've never seen the word "auth" used.

      • by dgatwood ( 11270 )

        The terms Authorization and Authentication are not ambiguous.

        The article doesn't say they are. They say it shouldn't be shortened to "auth" which is ambiguous. To be fair I've never seen the word "auth" used.

        I've seen it used all the time in the context of protocols, e.g. "HTTP digest auth". But it is usually obvious what you're talking about from context.

        • by Entrope ( 68843 )

          Except in a few questions posted by (ignorant) people asking how to use it, where have you seen that abbreviation used? How does one spell the associated HTTP header?

          • by dgatwood ( 11270 )

            Except in a few questions posted by (ignorant) people asking how to use it, where have you seen that abbreviation used?

            Apache configuration file syntax: AuthType Digest

            PHP environment variable: PHP_AUTH_DIGEST

            How does one spell the associated HTTP header?

            Well, the documentation from Mozilla [mozilla.org] says that its syntax is:

            Authorization: <auth-scheme> <authorization-parameters>

        • HTTP also gets them wrong even in their status code names. 401 Unauthorized actually means unauthenticated.
          So maybe that is what prompt for this suggestion, because it is hardly a common misunderstanding.

          • Not true.

            A 401 response can appear for authenticated users as well. Also, "are you authenticated" is in some cases a valid way to determine authorization.

            401 means "you do not have permission to view this content", which by definition means you are unauthorized. That is 100% correct usage. How the authorization attempt was made is irrelevant.

            • by jeremyp ( 130771 )

              I don't agree. 403 is the status code for "you - authenticated person - don't have permission to see this content". 401 normally results in the client sending authentication credentials and then the content can be served if the server recognises them.

    • The proposed terms are also misleading.

      While "permissions" does roughly correspond to "authorization" in common parlance, in a technical setting "permissions" are usually just one abstraction among several that go into implementing authorisation.

      As for "login", that is just one application of authentication, involving the creation of some sort of stateful session beyond the login event itself.

      • by jeremyp ( 130771 )

        Yes because, when I use sudo, I may be asked to authenticate myself and nobody would call that a "log in".

  • How in the hell (Score:5, Insightful)

    by Baron_Yam ( 643147 ) on Tuesday May 28, 2024 @07:32PM (#64506681)

    How did this make the live page instead of being voted 'stupid' into oblivion.

    • How did this make the live page instead of being voted 'stupid' into oblivion.

      Nowadays a significant number of Slashdot stories - including this one - don't seem to have passed through the Firehose at all. So I guess the answer is, "the site owner wanted this story posted"?

  • by Anonymous Coward

    People do tend to overgeneralize their own experience.
    This may be a problem in her organization, but I wouldn't assume it's widespread.

  • by Anonymous Coward

    Instead of "your mom" I like to just use "bitch" or "shut the fuck up".

  • Or, since "login" doesn't quite mean "authentication" maybe say "authentication" for "authentication".

    • I still have a hate boner for the word login. You log on, because that's entering your username and password. It used to mean turn logging on, in other words, let me be a user and log stuff that I do.

      Login is a modernization based on learning by context and normal bastardization. I'm not sure that I can disagree with common usage of the word login, but if you're talking about what should be and shouldn't be, and using computer science language, you should be aware enough to address log on versus login if yo

  • The Top 20 Worst Passwords lists that haven’t changed in decades (literally) prove beyond any doubt that re-defining the problem is going to contribute FUCK ALL to the challenge of “auth”.

    I would love to say I can’t even believe here, but people are just THAT fucking ignorant now.

    • The reality is that users do not care. They may know better but unless it's their own bank account... It could be an unwanted required hurdle in their way making them irritated as well.

      I've studied actually a TB of leaked passwords trying to find something interesting or revealing and all I found is that some obviously unimportant sites had a high number of poor passwords... and that people will just "upgrade" their bad passwords to make them "better." adding 1 or ! for example. Many use a year which may o

  • If you're actually paying attention and using these terms in specs and design, they're already called AuthN and AuthZ. If you don't know enough to know the existing industry terms, changing the terms isn't going to change the fact that you don't understand the difference between them, no matter what names you give them.

    • Yes, but you never know when the clear and unambiguous technical terms might become offensive, so best to have a backup.

      Pitty the poor genz physics student learning about advanced and retarded potential.

      • The basement dwellers who get offended by terms such as retarded, rarely step out and so have little to no impact on the real world
  • I work with a guy who called a desktop computer chassis "the hard drive" last week
  • Enough with the AI cyber waffle ..
  • There are a bunch of words commonly used in IT that are overused and ambiguous. The word "container" has been used in a wide variety of contexts: CSS Containers, Object storage containers, Java runtime environments, and even pre-Docker virtualization environments.
  • When we talk about authentication and authorization, we usually refer to them as a single collection of security precautions. In many contexts, we don't _have_ to distinguish between the two. Every single authentication platform or component, also does authorization, and vice versa. OAuth, MS Identity Server, whatever, they all do both. It's handy to just be able to use one short word to describe the collection of security features.

  • Login has a very enter your username and password to proceed connotation. That is very different then authentication, which can be through any number of methods of identifying the requestor. Is using a pre-established trust relationship to access an API endpoint a login? I'd have to argue that it isn't, but does require an authentication request be fulfilled. I'd similarly argue that permissions make sense when talking about user access to a frontend. It doesn't make sense when talking about two backend s
    • by Zumbs ( 1241138 )
      The title of your post vs the contents of your post is a good argument for the change suggested in the article. You use authorization in the title and authentication in the contents of your post. Now, do you know the difference or did you just make a typo?
      • I would assume it was a typo, personally.

        That said, changing the words associated with a complex topic will not in any way make that topic less complex. If you change it to login/permissions, newbies will start misusing login to mean permissions and vice versa. Never underestimate the ignorance of newbies -- and even other experts at times...

        Back to square one.

  • Like permissions on an object.

    Can we please stop expecting 'my terse term' to match 'your terse term'? Sometimes you need 3 words for clarity. And software creation tools are for computers, not people... that should change.

  • I agree, we definitely need to use simple understandable words rather than getting lost in jargon like AuthN & AuthZ. Such terms are confusing even to developers, unless you work day in and day out with such terms.

    Login & Permissions are much better and can be understood instantly, even by a layman. They are simple, clear and are used across a variety of fields. They are also more appropriate than Authentication & Authorization. Permissions implies a list of things that are allowed. Authoriza
  • I have not come across this word before. Is this brought to you by the department of lazy speakers who could care less about the English language to the point they can't even muster up an "n't" to make their sentences make sense?

  • "Login" does not capture "authentication" at all. "Login" is a state-change that does not even require authentication. It means establishing a somewhat persistent communication channel that allows the issuing of commands and reception of results. Authentication, on the other hand, is a claim of an identity bolstered with proof of that identity and can happen in contexts that have no connection to "login". For example, a signature can authenticate an email or a binary to be installed.

    Hence while I agree the

  • I agree with this. It is a real problem. The author of the article is not stupid.

    The auth-auth confusion has infected the OAuth2 standard. OAuth2 docs say that the "auth" is for authorization, not authentication. But it is used widely for authentication, as it can be used for that also. Sort of. OpenID is an authentication standard built on top of it OAuth (correct me if I'm wrong), but frequently the term OAuth is used instead. Or maybe OpenID is not fully implemented in a particular case and plain

  • I say authentication when I mean authentication and authorization when I mean authorization.

    But I get paid by the character.

  • They are probably getting their AI / ML / Language models confused with "auth" and are trying to change the behavior of humans so that the whatever language models they are working on / using has an easier time with that word.

    I don't think I have seen "auth" in a formal context and in informal context, it is easy enough to understand what it means from the context. I will not be surprised if whatever they are working on has problems understanding the context.

  • adopt the terms "login" for authentication and "permissions" for authorization

    These other words actually mean something different. Authorization is Not Only permissions, But includes other stuff so calling it permissions could be misleading.

    Authentication is actually: Verifying you are who you say you are.

    Authorization is actually: Checking your authentication against the requested operation And answer the question: Is who you are by policy Allowed right now To Login and do the thing you are ask

  • We used to say triple A... Authentication Authorization and Accounting (think audit trail)

    But thats too haaarrrddddd!!! Why is it sooo hhaaarrrd!!! It SHOULD be EASY! *stomps away pouting* (And THIS is a programmer/developer)

    And the world get's dumber
    sigh

    No coffee yet and I'm cranky!

  • How is this ambiguous? In what scenario could you use both words *and* have them lead to different outcomes?
    Much like 'knack', I have never been in the scenario where someone believed I was talking about chopping up dead horses when I really meant improvised proficiency, and had that lead to a possibly different outcome in the conversation.

    I think this is a getting paid for nonsense consultant.

    • How is this ambiguous? In what scenario could you use both words *and* have them lead to different outcomes?

      LLMs having trouble parsing this so this would be a AI devs pushing a training agenda

      We should immediately switch to using randomly generated words for these use cases

      The context resolves all ambiguity and anyone struggling with this is horribly broken

  • Only a programmer would be dumb enough to confuse that. Network Eng's do not need that type of hand holding.

  • “Fuck off,” and “Eat a dick.”

  • NT, like Windows NT
  • This is the silliest rant I have come across this week... Why would anyone compare an abbreviated word with a non-abbreviated word, and then use that as proof that the abbreviation is not as clear as the non-abbreviated word - duh!

    Wait till you discover acronyms... the same 3, 4, or 5-letter acronym could mean so many different things... now that is something we should all rail about!

    If you want to use the full word, nobody is stopping you... do it for clarity's sake... but for heaven's sake, don't introduc

One picture is worth 128K words.

Working...