Experimental Quantification of Authentication Enforcement Correctness and ACL Misconfiguration Impact in Standards-Compliant MQTT Deployments

Message Queuing Telemetry Transport (MQTT) is a lightweight publish–subscribe protocol widely deployed in Internet of Things (IoT) systems. Although MQTT defines authentication and authorization mechanisms, their enforcement accuracy, configuration sensitivity, and operational cost under controlled misconfiguration conditions remain insufficiently quantified. This study experimentally quantifies authentication enforcement behavior and Access Control List (ACL) misconfiguration impact within a standards-compliant MQTT deployment under controlled laboratory conditions. Rather than benchmarking a specific software product, the work measures protocol-defined security behavior—including authentication success rate, false acceptance rate (FAR), false rejection rate (FRR), privilege-boundary preservation, authentication latency, and broker CPU utilization—across systematically constructed operational and failure scenarios. Username/password and mutual TLS authentication were evaluated under valid and stress-induced connection conditions, alongside structured ACL policies incorporating wildcard over-permission. Across repeated trials, username/password authentication achieved higher observed connection reliability (≈0.95), while TLS-based authentication provided stronger cryptographic identity assurance at the cost of increased authentication latency (≈42.6 ms vs. 14.8 ms) and higher CPU utilization (≈23.7% vs. 9.4%). No false acceptances were observed within 100 unauthorized trials per configuration, corresponding to a 95% confidence upper bound of <3% for FAR under a binomial model. Under controlled ACL misconfiguration, 22 of 100 evaluated authorization operations accessed topics beyond the originally intended least-privilege scope, yielding a reproducible privilege expansion rate of 0.22. This expansion resulted from wildcard policy semantics rather than an enforcement malfunction. The results provide controlled empirical quantification of reliability–security trade-offs and configuration-driven privilege-boundary behavior within a standards-compliant MQTT deployment. While the findings reflect enforcement behavior as realized in the evaluated implementation and laboratory environment, the proposed measurement framework establishes reproducible criteria for assessing MQTT security enforcement accuracy under controlled conditions.