Just to be clear, these two are short for authentication and authorization, right?

I guess it's awkward that those two related but different concepts share the same first 4 letters. But I think authc would have been clearer for disambiguation than authn.

It would be even clearer if we just called them “identity” and “access” (or “permission”) instead of abbreviating longer terms with a common prefix.

And we kind of do, in other (but closely related) contexts; e.g., the common cloud systems for managing both are “identity and access management systems" not “authentication and authorization management systems”.

(Though, yes, “access" sometimes means something else; nothing is perfect.)

"Authn" and "authz" have over the last 10 years become the standard terms of art in software security for distinguishing between identification controls and access management controls, so whatever other terminology one might want to use --- authc, AAA, whatever --- you should probably keep authn and authz in your resident set.

Yes, that's what they're short for.

authn/autho are much clearer in my opinion

In one of my crazy experimentation repos I played with just dropping the confusing "auth" portion, leaving "orization" and "entication". I don't know that those exact terms are a winner, though they did work quite effectively for me, but I think dropping the "auth" bit has some promise in the general sense. Leaving the redundant and confusing part at the beginning and lowering the disambiguation down to one letter seems like the wrong direction, no matter what the one letter is.

The ambiguity of just "auth" is useful when describing it at a higher level.

I can say "auth service" and it's well understood, even to the user, that service identifies them and determines their permissions.

Yep, "authn" is good because it sounds like the first two syllables of "auth-en-ti-ca-tion".

I now agree with you that "autho" would have been better for the same reason. Although "authz" sounds cooler :)

good ol' auth'n 'n' autho'

To add to the other two sibling comments pointing out flaws in those shortened terms, in British English it's spelled authorisation, so it would give "auths", which is even more confusing.

One more wrinkle: authorization starts with “author” but in computer security is no longer about who wrote the data but rather if they are allowed to. It has its origin in “to determine the author of” but the modern usage is at least twice removed from that, in that it’s really checking if the _token_ was written by the _system_ not if the user was the content author.

Author stems from the same Latin root as authority, namely auctor, meaning "master, leader, author".

<https://www.etymonline.com/word/authority>

<https://www.etymonline.com/word/author>

So an author is one who creates, but also a "source of authoritative information or opinion".

Confusingly, authentic seems to have a different etymology, *autos "self" (see auto-) + hentes* "doer, being".

<https://www.etymonline.com/word/authentic>

So to authenticate an author as an authority derives three meanings from two separate roots.

I see it more about having the "authority" semantic root, ie: who has the authority to act on something.

IMO it's a case where shortening the words is pretty detrimental because the point of authentication and authorization are already in the words and makes sense. Plus both words end with "n" so "authn" doesn't make sense at first glance.

It’s historically been abbreviated AAA “triple A” for Access, Authentication, and Authorization. Each being a separate system, VPN’s and Firewalls traditionally controlling access for example.

I've also seen AAA used, but standing for Authentication, Authorization, and Accounting. The Wikipedia page [1] is short, but it refers to the context I've seen that in.

[1] https://en.wikipedia.org/wiki/AAA_(computer_security)