Authorization and Authentication are two different things. It sounds like you are trying to use the AuthorizeAttribute to authenticate which should actually be happening by your membership provider.
So in short, authentication is a way for you to identify who your users are and authorization is how you identify what access a user has, identified or not.
One thing to mention from the docs on AuthorizeAttribute:
"When you mark an action method with AuthorizeAttribute, access to that action method is restricted to users who are both authenticated and authorized. If you mark a controller with the attribute, all action methods in the controller are restricted."
So it isn't performing the authentication for you but checking it.