Experimental Evaluation of MQTT Authentication Mechanisms: Reliability, Enforcement Accuracy, and Security Implications

Message Queuing Telemetry Transport (MQTT) is a lightweight communication protocol widely used in Internet of Things (IoT) systems; however, its original design prioritizes efficiency over security, making authentication and authorization critical areas of concern, particularly when wildcard subscriptions and access control misconfigurations are present. This study experimentally investigates the effectiveness, limitations, and performance impact of MQTT authentication and authorization mechanisms in a controlled IoT environment. The experiments were conducted using the Eclipse Mosquitto broker and MQTT clients implemented in C++, evaluating username/password and certificate-based authentication alongside Access Control List (ACL)–based authorization under multiple test scenarios. Metrics including authentication success rate, false acceptance and rejection rates, authorization effectiveness, latency, system throughput, and resource consumption were systematically measured. The results show that password-based authentication achieves high success rates when correctly configured but remains vulnerable in the absence of transport-layer security, while certificate-based authentication improves security at the cost of increased latency and computational overhead. Authorization effectiveness was strongly influenced by ACL granularity, with misconfigured or default policies enabling unauthorized access, especially when wildcard topic filters were used. Overall, the findings demonstrate a clear trade-off between security strength and system performance in MQTT-based IoT deployments. The study concludes that although MQTT provides basic security mechanisms, stronger and more fine-grained authentication and authorization strategies are required to achieve secure and scalable IoT communication.