Mobile devices are becoming an essential part of many users’ lives. Users exchange sometimes very sensitive data with remote servers. This raises a security problem in terms of the confidentiality and integrity of these data, and users’ privacy. Mutual authentication protocols allow a user and a server to confirm each other’s legitimacy and share a session key to encrypt subsequent communications. Several protocols have been proposed to achieve this goal. However, these have certain weaknesses, such as impersonation, lack of anonymity, the use of additional hardware, and the synchronization problem associated with the use of timestamps. In this paper, we propose a mutual authentication protocol based on elliptic curve cryptography for mobile client – server environments, which addresses the above problems. This protocol is intended to be lightweight as it is designed for resource constrained mobile devices. Moreover, we present a formal and informal analysis of the security of the proposed protocol. This latter has security attributes, such as session key security, perfect forward secrecy, user anonymity, resistance to impersonation, replay and insider attacks. Performance evaluation shows that we outperform similar protocols. Therefore, the proposed protocol is secure, efficient and suitable for mobile environments.