A Provably Secure Biometrics-Based Authentication Scheme for Multiserver Environment

With the rapid development of mobile services, multiserver authentication protocol with its high efficiency has emerged as an indispensable security mechanism for mobile services. Recently, Ali et al. introduced a biometric-based multiserver authentication scheme and claimed the scheme is resistant to various attacks. However, after a careful examination, we find that Ali et al.'s scheme is vulnerable to various security attacks, such as user impersonation attack, server impersonation attack, privileged insider attack, denial of service attack, fails to provide forward secrecy and three-factor secrecy. To overcome these weaknesses, we propose an improved biometric-based multiserver authentication scheme using elliptic curve cryptosystem. Formal security analysis under the random oracle model proves that our scheme is provably secure. Furthermore, BAN (Burrows-Abadi-Needham) logic analysis demonstrates our scheme achieves mutual authentication and session key agreement. In addition, the informal analysis proves that our scheme is secure against all current known attacks and achieves desirable features. Besides, the performance and security comparison shows that our scheme is superior to related schemes.