Skip to main content

Security

For device certificates, TLS/DTLS setup, and the Lobaro CA, see the Secure Communication page.

MQTT-Specific Recommendations

Authentication

Prefer client certificate authentication over username/password. If using username/password:

  • Use individual credentials per device — a compromised device can then be blocked without affecting others
  • Never use a public broker without authentication

Broker Access Control

Restrict each device's credentials to its own topics only. A device should only be allowed to publish and subscribe to its designated topics using its DevEUI.

warning

A single set of compromised credentials with access to all topics potentially compromises all devices on the broker.

Transport Security

Always use TLS between device and broker. If TLS is not possible, consider a private APN with an encrypted VPN as an alternative.