Authorization is the ability to determine who has access to what or who can do what. Authorization requires authenticated identities. MQTT does not forward the identities of publishers. This makes authorization a big problem. How do you know if a packet is valid, or if the sender is authorized to send it? Since anybody can publish packets on any topic, by default, injection a great problem.
As with the problem of privacy, this vulnerability can be solved using ACL. It can also be solved by cryptographic means, for instance by signing packets using a PKI encryption method, such as RSA. Signatures using PKI work well in a Publish/Subscribe setting. It is only the sender that needs the private key. Recipients only require the public key of the sender to validate the signature.
The same PKI method can be used to achieve privacy in point-to-point communication or used to distribute shared symmetric keys. But implementation is far from simple, and the chances of achieving interoperability is slim.
If interoperability is important to your solution, there are other protocols that you can use to solve these issues. More on these protocols in later chapters.