MQTT protocol provides two simple mechanisms for client authentication: client ID and user. When a client connects to the broker, it has to supply a unique identifier to the server that must be unique across all clients connected (the broker rejects the connection in case of an existing ID). Furthermore, the connection message can include username and password to identify a user on the client.  Regarding the security, the MQTT protocol doesn’t specify a security layer by itself. It is based on TCP so we can handle data encryption across the network using SSL/TLS; in this way we can use client and server certificates for authentication, better than client identifier and username/password. Without using SSL/TLS we can add a security layer encrypting message payload at application level (remember that MQTT is payload agnostic).