MQTT Security Fundamentals: Authentication with Username and Password
Last week, we introduced the basics of security in MQTT. Today’s post digs into more details. Let’s start with Authentication in MQTT.
Authentication is part of the transport and application level security in MQTT. With Transport Layer Security (TLS), the successful validation of a client certificate is used to authenticate the client to the server. On the application level, the MQTT protocol provides username and password for authentication. Different broker implementations exist in addition to these levels. This post gives you an overview of authentication in general and the authentication capabilities that are built into the MQTT protocol specifically. Next week, we look at different approaches that broker implementations take with authentication.
According to Wikipedia:
Authentication is the act of confirming the truth of an attribute of a single piece of data or entity.
In short, authentication verifies whether a person, device or application is who they say they are.
Air travel is a classic example of authentication: Before you are permitted to board a plane, airport security asks you to present appropriate identification. For example, your passport. The passport authenticates you as the person to whom the airline issued the ticket. Your passport verifies your identity and your name. Anyone can state your name, but only you can provide your passport as proof of your identity.
We use authentication processes everyday without even noticing. Every time you log into your computer, you provide a username and a password. The username states your identity and entry of the password authenticates you as the rightful owner of that identity.
MQTT authentication with username/password
The MQTT protocol provides username and password fields in the CONNECT message for authentication. The client has the option to send a username and password when it connects to an MQTT broker. For more details, see MQTT Essentials: Establishing an MQTT connection.
The username is an UTF-8 encoded string. The password is binary data with a maximum of 65535 bytes. The MQTT specification states that you can send a username without password, but it is not possible to send a password without username. MQTT version 3.1.1 also removes the previous recommendation for 12 character passwords.
When you use the built-in MQTT username/password authentication, the MQTT broker evaluates credentials based on the authentication mechanism that is implemented (more on that in the next post) and returns one of the following return codes:
|Return Code||Return Code Response|
|4||Connection Refused, bad user name or password|
|5||Connection Refused, not authorized|
For a full list of all return codes, see MQTT Essentials: Establishing an MQTT connection.
When the username and password are set on the client, the information is sent to the broker in plain text. This text is vulnerable to eavesdropping and provides an easy way for attackers to obtain the credentials. Secure transmission of usernames and passwords requires transport encryption.
Next week, we look at the different ways to implement authentication on the broker side. For example, verifying the provided username and password or using attributes such as the client identifier for the authentication.
We hope you enjoyed part two of the MQTT Security Fundamentals. To get the next part of this series as soon as it is released, enter your email in the subscription form below. If you prefer RSS, you can subscribe to our RSS feed. As always, feel free to use the comments for suggestions and questions.