Revisiting anonymous two-factor authentication schemes for multi-server environment

Abstract

Revealing the security flaws of existing cryptographic protocols is the key to understanding how to achieve better security. At ICICS’17, Xu et al. proposed an efficient two-factor authentication scheme for multi-server environment to cope with the vulnerabilities in Amin et al.’s scheme. However, in this paper, we reveal that Xu’s new scheme actually is as vulnerable as Amin et al.’s scheme: anyone can impersonate any legitimate user. At FC’17, Wu et al. also developed an improvement over Irshad et al.’s scheme and this improved scheme is alleged to be practical and have a number of appealing merits. Yet, Wu et al.’s scheme still fails to achieve truly two-factor security (which is the most important goal of a two-factor scheme), and the leakage of a session-specific parameter will lead to the leakage of the user’s long-term secret key. Besides security, efficiency is another great concern. Recently, Leu-Hsieh showed that Lee et al.’s two-factor scheme fails to achieve truly two-factor security, and further suggested an enhanced anonymous scheme which is claimed to be robust against various attacks, while only using lightweight symmetric-key techniques. In this work, we show that Leu-Hsieh’s enhanced scheme still fails to achieve truly two-factor security once again. Moreover, it cannot preserve user privacy. Our results invalidate any use of these three schemes for practical applications without further improvement, and underscore some new challenges (e.g., attacks arising from the leakage of session-specific parameters and from malicious insiders) in designing practical password authentication schemes.