Enhanced Authentication - MQTT 5 Essentials Part 11

Enhanced Authentication - MQTT 5 Essentials Part 11

author Georg Held

Written by Georg Held

Category: MQTT 5 MQTT 5 Essentials HiveMQ IoT Security Auth

Published: March 6, 2020

Updated: June 29, 2023

Welcome to Part 11 of our MQTT 5 Essentials series. In Part 10 of this series, we delved into the concept of Topic Alias within MQTT 5. We explored its role in optimizing bandwidth usage and reducing network overhead, providing invaluable insights into enhancing overall efficiency. In this article, we will cover Enhanced Authentication.

Modern IoT projects have evolved into large, complex projects, especially when robust security measures are paramount. These expansive initiatives often involve collaboration between multiple vendors and teams. Adhering to internationally accepted standards becomes crucial to streamline the challenges encountered in such projects. Enhanced Authentication helps ensure compliance with these standards.

Implementing Challenge-Response Authentication

By incorporating challenge-response authentication into your MQTT 5 implementation, you can access industry-standard authentication mechanisms like the Salted Challenge Response Authentication Mechanism (SCRAM) or the Kerberos protocol. These widely recognized protocols further bolster the security of your IoT infrastructure by adding a layer of verification.

What is Authentication Flow in MQTT?

The authentication flow in enhanced authentication relies on three MQTT message types: CONNECT, CONNACK (already present in MQTT v3), and the new MQTT v5 AUTH message. Clients send CONNECT messages, while the server sends CONNACK messages. Both message types are used once during each authentication process. On the other hand, AUTH messages can be used multiple times by both the server and the client.

Get a perfect introduction to MQTT protocol.

The core of the authentication flow revolves around two message properties: the Authentication Method (identified by byte 21) and the Authentication Data (identified by byte 22). These properties are set on every message involved in the enhanced authentication flow.

Authentication Flow

Authentication Flow

Authentication Method in MQTT

With the Authentication Method the client and server can select and describe the agreed-upon authentication approach. It is represented by method strings commonly used to identify SASL (Simple Authentication and Security Layer) mechanisms. For instance, examples of method strings include SCRAM-SHA-1 for SCRAM with SHA-1 or GS2-KRB5 for Kerberos.

The Authentication Method assigns significance to the exchanged data during enhanced authentication and should remain constant throughout the process, ensuring consistency and integrity.

Authentication Data in MQTT

Authentication Data refers to binary information utilized during the authentication process. It typically involves transferring encrypted secrets or protocol steps in multiple iterations. The specific content of the data heavily relies on the chosen mechanism employed in enhanced authentication and is specific to the application in use.

Source Code Example of Enhanced Authentication in MQTT

In this code snippet, we utilize the HiveMQ extension SDK to implement enhanced authentication. The purpose is to verify the support of the Authentication Method and determine the state of an MQTT client that is connecting after the exchange of two AUTH messages.

public class MyEnhancedAuthenticator implements EnhancedAuthenticator {
    public void onConnect(EnhancedAuthConnectInput input, EnhancedAuthOutput output) {
        final ConnectPacket connectPacket = input.getConnectPacket();
        // Is the given authentication method supported?
        if (authenticationMethodIsSupported(connectPacket.getAuthenticationMethod())) {
            // Did the client provide valid authentication data?
            if (validateClientAuthenticationData(connectPacket.getAuthenticationData())) {
                // Send an AUTH message that contains a challenge!
        // Fail the authentication and disconnect the client.
    public void onAuth(EnhancedAuthInput input, EnhancedAuthOutput output) {
        final AuthPacket authPacket = input.getAuthPacket();
        // Try to validate the response.
        if (validateClientAuthenticationData(authPacket.getAuthenticationData())) {
            // Allow the client to connect to the server.
        // Fail the authentication and disconnect the client.


The significance of Enhanced Authentication cannot be overstated. In a world where the proliferation of interconnected devices has amplified the importance of secure communication, MQTT 5 steps up to the challenge. This advanced authentication mechanism empowers organizations to safeguard their IoT infrastructure, sensitive data, and the privacy of their users. Continuing our sharing on MQTT 5 concepts, in Part 12 of this series, we will focus on the topic of Flow Control in MQTT 5.

Sign up for our newsletter to get regular updates. Subscribe to our RSS feed here to stay updated. We encourage you to visit our MQTT Glossary for an in-depth understanding of the essential MQTT terminologies. It will equip you with the necessary vocabulary to grasp the complexities of MQTT and its various versions.

New call-to-action

FAQs on MQTT Topic Alias

The use of authentication methods such as SCRAM necessitates multiple exchanges of authentication data, making the CONNECT and CONNACK packets' single-exchange authentication framework obsolete. To overcome this drawback, MQTT 5 introduces the AUTH packet, which facilitates multiple exchanges of authentication data. This packet enables the utilization of SASL (Simple Authentication and Security Layer) mechanisms in MQTT, employing a challenge-response style.

Enhanced authentication was introduced in MQTT 5.0. So, you need to ensure that both your client and broker support this version of the protocol.

author Georg Held

About Georg Held

Georg serves as an engineering manager at HiveMQ. Under his responsibility the HiveMQ Broker, Enterprise Extensions, and Swarm are developed.

mail icon Contact Georg
newer posts HiveMQ ESE 1.5 released
The HiveMQ MQTT Client 1.1.4 is released older posts