Two-way biometrics-based authentication scheme on mobile devices

Abstract

Online transactions with mobile devices through internet environment have become popular worldwide. Therefore, many authentication schemes have been proposed to protect users from various potential attacks in e-transactions with online service providers from mobile devices. In 2013, Khan et. al. propose a keyhash based scheme on mobile devices to resist known kinds of attacks that previous schemes cannot resist. However, we prove that Khan et. al.’s scheme still cannot withstand impersonation, denial of service, and three-factor attacks. This motivates our proposal of an improved scheme to further overcome the found limitations in Khan’s scheme. The main idea of our proposed method is that the user ID and the secret key of the server are hashed together to prevent user impersonation. We also prove that our method can also resist against known attacks, such as server and user impersonation attack, replay attack, password guessing attack, malicious user attack, mobile device loss attack, attacks due to ID theft, attacks using login request.