Provably secure anonymous three-factor authentication scheme for multi-server environments

Significant developments in wireless communication technologies have resulted in the increased popularity of mobile devices and mobile services. However, excessive service requests reduce the efficiency of traditional single-server architectures, which consist of one server and many users. To overcome this limitation, a multi-server architecture was proposed. Additionally, password-based or smart-card-based authentication schemes cannot support some important security properties in multi-server environments. Consequently, biometrics are widely used as a third factor, in addition to passwords and smart cards, to make authentication schemes more secure. Reddy et al. recently designed a three-factor (i.e., password, smart card and biometrics) authentication scheme for multi-server environments. However, we found that their scheme lacks untraceability and is vulnerable to privileged insider attacks. To address these deficiencies, we propose a security-enhanced three-factor authentication scheme for multi-server environments based on elliptic curve cryptography (ECC). We prove that the proposed scheme is secure using the random oracle model. Moreover, an informal security analysis shows that the proposed scheme fulfills all the security requirements of the multi-server architecture. Finally, the results from performance analyses indicate that our proposed scheme achieves a significant improvement in security with minimal impact on performance.