Security · English usage comparison
Authentication vs Authorization: English Usage Guide for IT Professionals
"Authentication" (AuthN) verifies who you are; "authorization" (AuthZ) determines what you are allowed to do. Both are frequently abbreviated and confused. Using the wrong word in a security discussion is a red flag — they describe completely different checks.
Side-by-side comparison
| Aspect | Authentication | Authorization |
|---|---|---|
| Question answered | "Who are you?" | "What can you do?" |
| Abbreviation | AuthN | AuthZ |
| Happens | First — identity must be established | After AuthN — permissions checked |
| Example failure | 401 Unauthorized (wrong password) | 403 Forbidden (logged in, no permission) |
Example sentences
Authentication
- "The authentication service validates the user's password and issues a JWT on success."
- "Multi-factor authentication requires a password plus a one-time code."
Authorization
- "Authorization middleware checks whether the authenticated user has the admin role before granting access."
- "The user passed authentication but failed authorization — they're logged in but can't access billing."
Exercises: choose the correct English usage
Select the best answer for each question, then check your reasoning.
1. A user logs in with a username and password. This is ___.
Explanation: Verifying identity (username + password) is authentication.
2. A logged-in user tries to access an admin page and gets 403 Forbidden. This is a failure of ___.
Explanation: 403 means the user is authenticated but not authorized for that resource.
3. Which HTTP status code is associated with authentication failure?
Explanation: 401 Unauthorized means the request lacks valid authentication credentials.
4. Which abbreviation is correct for authorization?
Explanation: AuthZ = authorization (the Z distinguishes it from AuthN = authentication).
5. Role-based access control (RBAC) is a mechanism for ___.
Explanation: RBAC assigns permissions to roles and checks them at request time — that's authorization.
Frequently asked questions
Why does HTTP say "401 Unauthorized" for authentication failures?
Historical naming inconsistency. Despite the name, 401 means "not authenticated". 403 means "authenticated but not authorized (forbidden)".
What is OAuth — authentication or authorization?
OAuth is an authorization protocol — it grants a third-party app limited access to resources. OpenID Connect (OIDC), built on top of OAuth 2.0, handles authentication.
What is SSO?
Single Sign-On — you authenticate once and gain access to multiple services without re-entering credentials. It's an authentication mechanism.
What is MFA?
Multi-Factor Authentication — requiring two or more verification factors (something you know, have, or are). A stronger form of authentication.
What is RBAC?
Role-Based Access Control — an authorization model where permissions are assigned to roles and users are assigned roles. Common in enterprise systems.
What is ABAC?
Attribute-Based Access Control — a more flexible authorization model where access decisions are based on attributes of users, resources, and environment.
How do you pronounce "authorization"?
UK English: aw-thor-eye-ZAY-shun. US English: aw-thor-ih-ZAY-shun. Both are correct.
What does "authenticated but not authorized" mean in practice?
The user is logged in (identity confirmed) but their account lacks the permission needed for the requested action (e.g. a regular user trying to access admin settings).
What is a "bearer token"?
An access token (often a JWT) presented in the Authorization HTTP header. "Bearer" means whoever holds the token can use it — no additional proof of identity is required.
What is the principle of least privilege?
An authorization best practice: grant users and systems only the minimum permissions required to do their job, reducing the blast radius of a breach.