Security · English usage comparison

Authentication vs Authorization: English Usage Guide for IT Professionals

"Authentication" (AuthN) verifies who you are; "authorization" (AuthZ) determines what you are allowed to do. Both are frequently abbreviated and confused. Using the wrong word in a security discussion is a red flag — they describe completely different checks.

Side-by-side comparison

Aspect Authentication Authorization
Question answered "Who are you?" "What can you do?"
Abbreviation AuthN AuthZ
Happens First — identity must be established After AuthN — permissions checked
Example failure 401 Unauthorized (wrong password) 403 Forbidden (logged in, no permission)

Example sentences

Authentication

  • "The authentication service validates the user's password and issues a JWT on success."
  • "Multi-factor authentication requires a password plus a one-time code."

Authorization

  • "Authorization middleware checks whether the authenticated user has the admin role before granting access."
  • "The user passed authentication but failed authorization — they're logged in but can't access billing."

Exercises: choose the correct English usage

Select the best answer for each question, then check your reasoning.

1. A user logs in with a username and password. This is ___.

2. A logged-in user tries to access an admin page and gets 403 Forbidden. This is a failure of ___.

3. Which HTTP status code is associated with authentication failure?

4. Which abbreviation is correct for authorization?

5. Role-based access control (RBAC) is a mechanism for ___.

Frequently asked questions

Why does HTTP say "401 Unauthorized" for authentication failures?

Historical naming inconsistency. Despite the name, 401 means "not authenticated". 403 means "authenticated but not authorized (forbidden)".

What is OAuth — authentication or authorization?

OAuth is an authorization protocol — it grants a third-party app limited access to resources. OpenID Connect (OIDC), built on top of OAuth 2.0, handles authentication.

What is SSO?

Single Sign-On — you authenticate once and gain access to multiple services without re-entering credentials. It's an authentication mechanism.