A Multi-Server Two-Factor Authentication Scheme with Un-Traceability Using Elliptic Curve Cryptography

To provide secure communication, the authentication-and-key-agreement scheme plays a vital role in multi-server environments, Internet of Things (IoT), wireless sensor networks (WSNs), etc. This scheme enables users and servers to negotiate for a common session initiation key. Our proposal first analyzes Amin et al.'s authentication scheme based on RSA and proves that it cannot provide perfect forward secrecy and user un-traceability, and is susceptible to offline password guessing attack and key-compromise user impersonation attack. Secondly, we provide that Srinivas et al.'s multi-server authentication scheme is not secured against offline password guessing attack and key-compromise user impersonation attack, and is unable to ensure user un-traceability. To remedy such limitations and improve computational efficiency, we present a multi-server two-factor authentication scheme using elliptic curve cryptography (ECC). Subsequently, employing heuristic analysis and Burrows⁻Abadi⁻Needham logic (BAN-Logic) proof, it is proven that the presented scheme provides security against all known attacks, and in particular provides user un-traceability and perfect forward security. Finally, appropriate comparisons with prevalent works demonstrate the robustness and feasibility of the presented solution in multi-server environments.