Skip to content

Advanced Authentication Mechanisms - MQTT Security Fundamentals

by HiveMQ Team
10 min read

In our blog Authentication with Username and Password, we explained the basics of authentication and how the MQTT protocol provides a username and password in the CONNECT message for authentication. This blog introduces more ways to authenticate a client and shows you how to implement authentication on the MQTT broker.

MQTT Authentication with Other Information

In the last blog, we learned that authentication confirms the identity of something or someone. We also saw how a username and password combination can be used for authentication. In addition to the username and password, MQTT clients provide other information that can be used for authentication:

Client Identifier

Every MQTT client has a unique client identifier. The client provides this unique ID to the broker in the MQTT CONNECT message. The client ID can have a maximum of 65535 characters (the MQTT 3.1.1 specification removed the previous limit of 23 characters). It’s common practice to use the 36 character Universal Unique Identifier (UUID) or other unique client information as the client ID. For example, the MAC address of the network module or the device serial number. In the authentication process, client IDs are often used in combination with the username and password. A common way to confirm if a client can access the MQTT broker is to validate the username/password and the client ID that is correct for that credential combination. It is also possible to ignore the username/password and just authenticate against the client ID; however, this method is not a good security practice. (For some closed systems, this type of authentication may be sufficient).

X.509 Certificate

Another possible authentication method is using the X.509 client certificate. The client presents this certificate to the broker during the TLS handshake (we explain more about transport level security and how SSL/TLS works with MQTT in a later post). After a successful TLS handshake, some brokers such as HiveMQ permit use of certificate information for application layer authentication. This enables the broker to read all of the information in the certificate and use it for authentication purposes as well. If you provision IoT devices, X509 client certificates can be a very good source for authenticating clients on the MQTT broker.

Implementing Authentication with HiveMQ MQTT Broker

We’ve seen that there are different types of information available for authentication of an MQTT client. Now, it’s time to wire the MQTT broker and the authentication store, which can be a database, a webservice, a LDAP directory or a simple access control list (ACL). Let’s take a look at how authentication logic can be implemented on the HiveMQ MQTT broker.

The HiveMQ broker has an open source plugin system that allows you to hook into different events on the broker. HiveMQ offers various callback interfaces that are very easy to implement in custom plugins. The broker calls the plugin implementations at runtime. HiveMQ provides the OnAuthenticationCallback interface for authentication.

public class AuthWithUsernamePasswordCallback implements OnAuthenticationCallback {
    @Override
    public Boolean checkCredentials(ClientCredentialsData clientCredentialsData) throws AuthenticationException 
    {

    // Custom Authentication Logic

    }
}

This callback implementation is sufficient for customizing the authentication mechanism to your use case. The callback method has one parameter of type ClientCredentialsData. This parameter contains all data that HiveMQ obtained from the connecting client. You can use this data to verify the client ID, username, password, and the certificate of the client. If the client presents valid information for authentication, this callback returns the value true.

There are two ways to decline authentication:

  • Returning the value false

  • Throwing an Exception

If the callback returns the value false, HiveMQ checks for other installed plugins and requests authentication from them. If one of these plugins returns the value true, HiveMQ authenticates the client. To prevent HiveMQ from checking other plugins and refuse the connection immediately, an exception must be thrown. In case of an exception, it is also possible to modify the CONNACK return code. We have an extensive example using a dummy implementation of username/password authentication on GitHub.

Callbacks must be registered with HiveMQ by adding them to the callback registry. This can be done easily in the main class of a plugin. The main class is required for each plugin and needs to extend the interface PluginEntryPoint. The callback is injected via dependency injection and added to the callback registry. Once the plugin is on the registry, it can be used with the HiveMQ broker.

public class AuthenticationExampleMainClass extends PluginEntryPoint {

    private final AuthWithUsernamePasswordCallback authWithUsernamePasswordCallback;

    @Inject
    public AuthenticationExampleMainClass(final AuthWithUsernamePasswordCallback authWithUsernamePasswordCallbackCallback)
    {
        this.authWithUsernamePasswordCallback = authWithUsernamePasswordCallbackCallback;
    }

    @PostConstruct
    public void postConstruct() {

        CallbackRegistry callbackRegistry = getCallbackRegistry();
        callbackRegistry.addCallback(authWithUsernamePasswordCallback);

    }
}

You can find ready-to use, open-source, HiveMQ plugins for authenticating clients in our plugin directory. For example, the File RBAC Extension for ACLs. If you need more information about how to develop, run, and deploy a custom authentication plugin for the HiveMQ broker, see the plugin developer guide.

This brings us to the end of the authentication part of MQTT Security Fundamentals. In the next post, we dive into topic-level authorization with MQTT.

We hope you enjoyed part three of the MQTT Security Fundamentals series. If you want to stay updated or get notified of our new content, subscribe to our newsletter or RSS feed. Feel free to use the comments section to ask questions or to leave feedback.

HiveMQ Team

The HiveMQ team loves writing about MQTT, Sparkplug, Industrial IoT, protocols, how to deploy our platform, and more. We focus on industries ranging from energy, to transportation and logistics, to automotive manufacturing. Our experts are here to help, contact us with any questions.

Related content:

Automating MQTT Broker Management on Kubernetes with IaC and GitOps: Part 2

A technical step-by-step guide on how to implement security principles while automating HiveMQ MQTT Broker management on Kubernetes with IaC and GitOps.

Blog

Achieving TiSAX Compliance

HiveMQ achieves TiSAX compliance, showcasing our commitment to top security standards and delivering trusted solutions for the automotive industry.

Blog

HiveMQ Achieves SOC 2 Type II Compliance: A Milestone in Security and Trust

HiveMQ achieves SOC 2 Type II compliance, demonstrating top-notch security, processing integrity, confidentiality, & privacy for its trusted MQTT platform.

Blog

Implementing Authentication in HiveMQ Without Active Directory Schema Changes

A step-by-step guide to implement access control management and authentication inside of HiveMQ Broker without active directory schema changes.

Blog

Stopping the Scam: Anomaly Detection and Fraud Prevention with MQTT

Learn how MQTT & HiveMQ platform help provide deeper insights into IoT/IIoT data, detect anomalies as they occur, & safeguard against fraudulent activities.

Blog

Securing MQTT Devices with OIDC Authentication, HiveMQ, and Microsoft Entra

A step-by-step guide to secure MQTT devices and your IoT ecosystem with OIDC authentication, HiveMQ control center, and Microsoft Entra.

Blog

Authenticating MQTT Devices with HiveMQ and Microsoft Entra

Looking to authenticating MQTT Devices? Explore how to use HiveMQ Enterprise Security Extension for MQTT client authentication using Microsoft Entra ID.

Blog

Understanding HiveMQ’s ISO/IEC 27001 Certification for Information Security Management

Explore why & how HiveMQ adopted ISO/IEC 27001 information security management standard to protect data, intellectual property, & consumer information.

Blog

Navigating Cybersecurity Concerns in Industrial IoT Deployments

Explore how authentication, encryption, hardware security, audits, & tailored security approaches can help secure your IIoT systems against Cybersecurity.

Blog

Securing HiveMQ Broker Deployments With Intermediate CA Certificates

Learn how to secure HiveMQ MQTT broker deployments by adopting a hierarchical approach, with Root CA delegating authority to Intermediate CAs.

Blog

Securing Data in IoT Deployments

Learn how to enhance the security of IoT deployments while using MQTT, the de facto protocol for IoT, and HiveMQ’s Enterprise Security Extension (ESE).

Blog

Reinforcing Security of OT Systems in IIoT with MQTT and HiveMQ

Explore potential attacks on an MQTT Broker, security challenges in OT for IIoT, and discover how MQTT and HiveMQ can effectively mitigate these threats.

Blog

Securing the Unified Namespace Architecture for IIoT

Learn how to address key security challenges associated with Unified Namespace (UNS) in IIoT environments with actionable strategies and best practices.

Blog

Step Up Your MQTT Security with JWT Authentication on HiveMQ Cloud Starter

Explore how JSON Web Token (JWT) feature in HiveMQ Cloud Starter helps bring advanced security measures to your MQTT projects. Learn more.

Blog

Enhance Your IoT Security with Client Certificate Authentication on HiveMQ Cloud Starter

Explore the security enhancement to HiveMQ Cloud Starter. The feature, Client Certificate Authentication, helps with IoT security. Learn more.

Blog

Managing MQTT Security on HiveMQ Cloud Starter

A guide for IoT developers to get started with cloud-based, fully managed pay-as-you-grow MQTT platform, HiveMQ Cloud Starter, and its security.

Blog

Configuring HiveMQ Control Center Authentication and Authorization with Microsoft Active Directory

Learn how to configure HiveMQ's Control Center to authenticate and authorize users through Microsoft Active Directory.

Blog

Uplink Transforms Alert Systems with Seamless Integration of Real-Time Data

Learn how Uplink leverages HiveMQ to enhance smart city infrastructure, ensuring robust and real-time monitoring for security applications and alarm systems.

Case Study

Ask Me Anything: MQTT Experts Answer Your Questions | July 2022 Edition

The July 2022 edition of AMA session answers your most pressing questions around MQTT, MQTT security, MQTT Sparkplug, MQTT on cloud platforms and IoT architecture.

Webinar

IoT Security Issues and MQTT

A webinar discussing IoT security issues and how MQTT can actually mitigate security vulnerabilities in IoT and IIoT infrastructures.

Webinar

HiveMQ is not affected by Log4Shell

Announcement about HiveMQ and the recent security vulnerability known as Log4Shell.

Blog

Mitigate IoT Attacks with Key MQTT Security Principles

By adhering to key MQTT security principles, we can mitigate several IoT attacks.

Blog

How to Setup, Run, and Scale a Secure MQTT Broker on Kubernetes

How HiveMQ can be deployed into any Kubernetes cluster - managed in the public cloud or hand-crafted in your on-premise environment.

Webinar

Implementing the Five Pillars of IT Security for MQTT

Learn how the five pillars of IT security can be implemented to secure IoT applications using MQTT, and how to create a secure IoT system with MQTT and HiveMQ.

Webinar

Implementing MQTT Challenge-Response Authentication

Learn how to integrate challenge-response-authentication into a HiveMQ extension.

Blog

Integrating HiveMQ with Okta

An introduction on using HiveMQ, the HiveMQ Enterprise Security Extension, and the Okta cloud to secure your MQTT deployment.

Blog

Setting up TLS for your cloud-based MQTT broker

Step by step guide on configuring HiveMQ to utilize mutual TLS encryption for device to server communication as well as inter server communication.

Blog

Role Based Access Control to Secure an MQTT Broker

Learn how to use HiveMQ, the HiveMQ Enterprise Security Extension, and Postgres DB to secure the access to the HiveMQ Control Center.

Blog

IoT Security in the cloud - How to integrate IoT Device Authentication and Authorization with HiveMQ and AWS

Bring IoT security in the cloud with HiveMQ Security Extension and AWS RDS Postgres DB. Build a secured high availability MQTT broker cluster in the cloud.

Blog

A Better Solution for IoT Security and MQTT

The new HiveMQ Enterprise Security Extension is built to meet security requirements of IoT business.

Blog
HiveMQ logo
Review HiveMQ on G2