Authentication with Username and Password - MQTT Security Fundamentals

Authentication with Username and Password - MQTT Security Fundamentals

author HiveMQ Team

Written by HiveMQ Team

Category: MQTT Security Fundamentals MQTT IoT Security

Published: April 20, 2015

Authentication is part of the transport and application level security in MQTT. With Transport Layer Security (TLS), the successful validation of a client certificate is used to authenticate the client to the server. On the application level, the MQTT protocol provides username and password for authentication. Different broker implementations exist in addition to these levels. This post gives you an overview of authentication in general and the authentication capabilities that are built into the MQTT protocol specifically. Next week, we look at different approaches that broker implementations take with authentication.


According to Wikipedia:

Authentication is the act of confirming the truth of an attribute of a single piece of data or entity.

In short, authentication verifies whether a person, device or application is who they say they are.

Air travel is a classic example of authentication: Before you are permitted to board a plane, airport security asks you to present appropriate identification. For example, your passport. The passport authenticates you as the person to whom the airline issued the ticket. Your passport verifies your identity and your name. Anyone can state your name, but only you can provide your passport as proof of your identity.

We use authentication processes everyday without even noticing. Every time you log into your computer, you provide a username and a password. The username states your identity and entry of the password authenticates you as the rightful owner of that identity.

MQTT authentication with username/password

The MQTT protocol provides username and password fields in the CONNECT message for authentication. The client has the option to send a username and password when it connects to an MQTT broker. For more details, see MQTT Essentials: Establishing an MQTT connection.

MQTT Connect message content with username and password for Authentication

The username is an UTF-8 encoded string. The password is binary data with a maximum of 65535 bytes. The MQTT specification states that you can send a username without password, but it is not possible to send a password without username. MQTT version 3.1.1 also removes the previous recommendation for 12 character passwords.

MQTT Connack contents after authentication to secure MQTT communication.

When you use the built-in MQTT username/password authentication, the MQTT broker evaluates credentials based on the authentication mechanism that is implemented (more on that in the next post) and returns one of the following return codes:

Return Code Return Code Response
0 Connection Accepted
4 Connection Refused, bad user name or password
5 Connection Refused, not authorized

For a full list of all return codes, see MQTT Essentials: Establishing an MQTT connection.

When the username and password are set on the client, the information is sent to the broker in plain text. This text is vulnerable to eavesdropping and provides an easy way for attackers to obtain the credentials. Secure transmission of usernames and passwords requires transport encryption.

In our next post, we look at advanced authentication mechanisms to implement authentication on the broker side. For example, verifying the provided username and password or using attributes such as the client identifier for the authentication.

We hope you enjoyed part two of the MQTT Security Fundamentals. Subscribe to our RSS feed to get notified of our new content. As always, feel free to use the comments for suggestions or questions.

author HiveMQ Team

About HiveMQ Team

We love writing about MQTT, IoT protocols and architecture in general. Our experts are here to help, so reach out to us if we can help!

mail icon Contact HiveMQ
newer posts Advanced Authentication Mechanisms - MQTT Security Fundamentals
HiveMQ - MQTT Security Fundamentals older posts