A two‐factor authentication scheme with anonymity for multi‐server environments

Abstract

AbstractIn a multi‐server environment, remote user authentication is essential for secure communication. Recently, Liao and Wang, Hsiang and Shih, and Lee et al. have successively proposed various remote user authentication schemes for multi‐server environments. However, each of these schemes exhibits distinct security weaknesses. The Liao–Wang scheme is vulnerable to insider attacks and masquerade attacks, and fails to provide two‐factor security and mutual authentication. The Hsiang–Shih scheme is vulnerable to masquerade attacks and cannot provide mutual authentication. This paper shows that the Lee et al. scheme does not provide two‐factor security and cannot withstand masquerade attacks. Their scheme demonstrates poor reparability and fails to provide mutual authentication. Its password change process is inconvenient and inefficient for users who wish to update passwords. Therefore, we propose a novel two‐factor authentication scheme with anonymity for multi‐server environments and use the Burrows–Abadi–Needham logic method to verify our scheme. We compare the performance and functionality of the proposed scheme with those of previous schemes. Cryptanalysis demonstrated that our improved scheme not only overcomes the drawbacks of the Lee et al., Hsiang–Shih, and Liao–Wang schemes but also satisfies crucial design criteria for secure remote user authentication schemes in multi‐server environments. This paper presents a real‐case scenario and provides practical examples. We show that our improved authentication scheme provides more functionality than the mentioned schemes do, and can enhance effectiveness in protecting multi‐server environments. We also show that the proposed scheme is efficient and can enhance the efficiency of the authentication scheme in a multi‐server environment. Copyright © 2014 John Wiley & Sons, Ltd.