Instead of “auth”, we should say “permissions” and “login”

Original Article ↗ Hacker News Discussion ↗

Existing Terminology and Industry Practice

  • Many commenters say “authentication” and “authorization” (or AuthN/AuthZ) are long‑established, well‑defined security terms (often taught as part of AAA: Authentication, Authorization, Accounting).
  • IAM / CIAM, SSO, roles, groups, and claims are frequently mentioned as the standard conceptual ecosystem.
  • Some prefer the shorthand “authn/authz” or “AuthN/AuthZ” because they are visually distinct and used across tools and specs (e.g., Apache modules).

Support for Using “Login” and “Permissions”

  • Several agree that “auth” is ambiguous and that “authentication/authorization” are easily confused, especially in speech or for non‑native speakers.
  • “Login” and “permissions” are seen as more intuitive for laypeople; some would use them in user‑facing UI, docs, and high‑level explanations.
  • A few note they personally still mentally double‑check which of authentication/authorization is which, suggesting the terminology never became “effortless.”

Critiques of “Login” / “Permissions” Proposal

  • Many argue “login” is too narrow:
    • Does not fit token, API key, bearer token, or certificate‑based flows.
    • Suggests a session and interactive user; fails for service accounts, bots, S/MIME, TLS, etc.
  • “Permissions” is seen as only one mechanism within authorization:
    • Policies, time‑of‑use, license checks, org rules, and auditability go beyond a simple permissions list.
    • In formal RBAC, a “permission” is typically an operation–object pair; authorization is the binding of those to users/roles.

Ambiguity, Misuse, and Real‑World Warts

  • People report frequent confusion:
    • Developers and admins collapse everything into “auth.”
    • OAuth’s name vs typical usage, and HTTP 401 “Unauthorized” vs 403 “Forbidden,” are cited as long‑standing misnomers.
  • Some security practitioners explicitly avoid bare “auth,” using only AuthN/AuthZ or full words.
  • Others argue the real issue is education and sloppy communication, not the words themselves; changing labels may just create new ambiguities.

Language, Jargon, and Audience

  • Several distinguish between:
    • Precise technical terms for engineers and standards.
    • Simpler phrases (“login,” “permissions,” “access control,” “identity”) for product copy and non‑technical stakeholders.
  • There is disagreement on whether renaming improves clarity or just adds yet another competing “standard.”