I think that can always be used.
But MVC provides attributes like Authorize for providing authorization based on roles.
And considering Authentication both forms and windows can be used for sure.
But in MVC you can create Custom Authorize attributes. Check the links below:-
Custom Forms Authentication in ASP.NET MVC Application[
^]
Custom attribute that access parameters[
^]
Post back your queries if any.
Hope this helps.
Thanks