Skip to content

Enhanced Authentication - MQTT 5 Essentials Part 11

by Georg Held
(updated on ) 6 min read

Welcome to Part 11 of our MQTT 5 Essentials series. In Part 10 of this series, we delved into the concept of Topic Alias within MQTT 5. We explored its role in optimizing bandwidth usage and reducing network overhead, providing invaluable insights into enhancing overall efficiency. In this article, we will cover Enhanced Authentication.

Modern IoT projects have evolved into large, complex projects, especially when robust security measures are paramount. These expansive initiatives often involve collaboration between multiple vendors and teams. Adhering to internationally accepted standards becomes crucial to streamline the challenges encountered in such projects. Enhanced Authentication helps ensure compliance with these standards.

Implementing Challenge-Response Authentication

By incorporating challenge-response authentication into your MQTT 5 implementation, you can access industry-standard authentication mechanisms like the Salted Challenge Response Authentication Mechanism (SCRAM) or the Kerberos protocol. These widely recognized protocols further bolster the security of your IoT infrastructure by adding a layer of verification.

What is Authentication Flow in MQTT?

The authentication flow in enhanced authentication relies on three MQTT message types: CONNECT, CONNACK (already present in MQTT v3), and the new MQTT v5 AUTH message. Clients send CONNECT messages, while the server sends CONNACK messages. Both message types are used once during each authentication process. On the other hand, AUTH messages can be used multiple times by both the server and the client.

The core of the authentication flow revolves around two message properties: the Authentication Method (identified by byte 21) and the Authentication Data (identified by byte 22). These properties are set on every message involved in the enhanced authentication flow.

Authentication FlowAuthentication Flow

Authentication Method in MQTT

With the Authentication Method the client and server can select and describe the agreed-upon authentication approach. It is represented by method strings commonly used to identify SASL (Simple Authentication and Security Layer) mechanisms. For instance, examples of method strings include SCRAM-SHA-1 for SCRAM with SHA-1 or GS2-KRB5 for Kerberos.

The Authentication Method assigns significance to the exchanged data during enhanced authentication and should remain constant throughout the process, ensuring consistency and integrity.

Authentication Data in MQTT

Authentication Data refers to binary information utilized during the authentication process. It typically involves transferring encrypted secrets or protocol steps in multiple iterations. The specific content of the data heavily relies on the chosen mechanism employed in enhanced authentication and is specific to the application in use.

Source Code Example of Enhanced Authentication in MQTT

In this code snippet, we utilize the HiveMQ extension SDK to implement enhanced authentication. The purpose is to verify the support of the Authentication Method and determine the state of an MQTT client that is connecting after the exchange of two AUTH messages.

public class MyEnhancedAuthenticator implements EnhancedAuthenticator {
    public void onConnect(EnhancedAuthConnectInput input, EnhancedAuthOutput output) {
        final ConnectPacket connectPacket = input.getConnectPacket();
        // Is the given authentication method supported?
        if (authenticationMethodIsSupported(connectPacket.getAuthenticationMethod())) {
            // Did the client provide valid authentication data?
            if (validateClientAuthenticationData(connectPacket.getAuthenticationData())) {
                // Send an AUTH message that contains a challenge!
        // Fail the authentication and disconnect the client.
    public void onAuth(EnhancedAuthInput input, EnhancedAuthOutput output) {
        final AuthPacket authPacket = input.getAuthPacket();
        // Try to validate the response.
        if (validateClientAuthenticationData(authPacket.getAuthenticationData())) {
            // Allow the client to connect to the server.
        // Fail the authentication and disconnect the client.


The significance of Enhanced Authentication cannot be overstated. In a world where the proliferation of interconnected devices has amplified the importance of secure communication, MQTT 5 steps up to the challenge. This advanced authentication mechanism empowers organizations to safeguard their IoT infrastructure, sensitive data, and the privacy of their users. Continuing our sharing on MQTT 5 concepts, in Part 12 of this series, we will focus on the topic of Flow Control in MQTT 5.

Sign up for our newsletter to get regular updates. Subscribe to our RSS feed here to stay updated. We encourage you to visit our MQTT Glossary for an in-depth understanding of the essential MQTT terminologies. It will equip you with the necessary vocabulary to grasp the complexities of MQTT and its various versions.

FAQs on MQTT Topic Alias

Georg Held

Georg is Director of Product Development at HiveMQ. Under his responsibility the HiveMQ Broker, Enterprise Extensions, and Swarm are developed.

  • Georg Held on LinkedIn
  • Contact Georg Held via e-mail

Related content:

HiveMQ logo
Review HiveMQ on G2