1 Introduction

User authentication plays a crucial part in ensuring that resources and services at the remote server can only be accessed by legitimate parties. In 1991, Chang et al. [5] suggested the first two-factor authentication scheme based on passwords and smart cards, and this influential study has given rise to a series of enhanced proposals with each diversified in aspects of usability [23], security [14] efficiency [9] and anonymity [20].

However, most of these schemes are designed for the single-server architecture, which means that the user needs to memorize n pairs of identity and password to login n different service servers. As the number of services increases rapidly, e.g., common users generally have 25–67 such pairs [12]. This is a great burden for use to maintain (memorize) such an amount of password pairs. Accordingly, a number of two-factor authentication protocols for multi-server architecture has been developed [13, 19, 22].

In a two-factor schemeFootnote 1 for multi-server architecture, there are three participants (i.e. a set of users, a control server CS and a set of service servers) involved. User U can login any service server under the same control server by using the same (identity, password)-pair. User U holds a memorable password and a smart card stored with some initial security parameters; The servers (including CS and service server S) only need to keep some secret key material of the system (but not the user). Since there is no need to keep a table with password-related verification information on the server side, the server is free from the threat of password dataset leaks and ameliorated from the burden of maintaining a large password dataset. This feature makes this type of schemes rather desirable, considering the incessant leakages of password databases from large websites [1].

The most important security goal of a two-factor authentication scheme is the so-called “two-factor security” [14]. This security concept essentially means that only the user that has the smart card as well as knows the correct password can be verified by the server. Nevertheless, past research [6, 16, 17, 20] have, again and again, proved that designing a two-factor authentication scheme with “two-factor security” for single-server architecture is a hard task, and the design of a truly two-factor scheme for multi-server architecture can only be harder.

In 2017, Amin et al. [4] developed an anonymous two-factor authentication scheme relying on the intractability of large integer factoring problem (i.e., RSA), and stated that their scheme is able to support “two-factor security” under the hypothesis that smart cards can be tampered. Later on, Xu et al. [22] found that Amin et al.’s scheme cannot resist against user impersonation attack if the parameters kept in the smart cards can be extracted, invalidating Amin et al.’s claim of ensuring “two-factor security”. Accordingly, Xu et al. [22] further proposed a new scheme based on the same cryptographic primitive (i.e., RSA) at ICICS’17. In addition, their scheme was “proved secure” in the random oracle model. Surprisingly, we find that Xu et al.’s scheme [22] is subject to a damaging security hole: anyone can impersonate any legitimate user.

At FC’17, Wu et al. [19] demonstrated that various security drawbacks existed in both Irshad et al.’s [7] and Zhu’s [24] schemes. More specifically, Irshad et al.’s scheme is vulnerable to stolen-verifier attack and insider attack, and provides no user anonymity; Zhu’s scheme suffers from insider attack, provides no user anonymity, and has the de-synchronization problem in case the malicious attacker \(\mathcal {M}\) simply modify the third message flow. Wu et al. [19] also put forward an improved scheme and argued that their scheme is robust under the condition that the sensitive data in smart card has been revealed by \(\mathcal {M}\). It should be noted that, recent rapid developments in side-channel attacks have proved that the sensitive information stored in general commercial smart cards could be extracted by power analysis [11] or reverse engineering [3]. Based on a weak yet realistic assumption, Wu et al.’s scheme [19] appears very practical.

However, as we will show, this scheme is prone to a much more serious problem (i.e., no truly two-factor security) than the original schemes (i.e., Irshad et al.’s [7] and Zhu’s [24] schemes). Besides, Wu et al.’s scheme will leak the user’s long-term secret key once a session-specific parameter is leaked. This is rather undesirable, because session-specific data is often less well protected than long-term keys, and the leakage of the former should not affect the latter. Our attack highlight the challenges arising from the leakage of session-specific data.

Besides robust security guarantees, protocol efficiency is also an important concern due to the resource-constrained nature of user devices. Leu-Hsieh [9] presented an anonymous two-factor scheme, which is claimed to ensure user privacy and robust security while only requiring a few lightweight hash operations. Unlike their claims, we show that their scheme still cannot provide truly two-factor security and user anonymity. In addition, forward secrecy cannot be attained. We note that Maitra et al. [10] have also analyzed Leu-Hsieh’s scheme and presented some attacks, but their attacks are different from ours. Besides, Maitra et al. [10] further gave an improved scheme, which suffers some critical issues as pointed out in [13].

2 Adversary Models

Since a series of influential work [17, 21, 23], generally three assumptions are made about \(\mathcal {M}\)’s capabilities against two-factor authentication.

Assumption 1

\(\mathcal {M}\) completely manipulates the public channel (e.g., eavesdrop, delete, insert, modify or block any transcripts).

Assumption 2

\(\mathcal {M}\) can somehow obtain the victim’s smart card and exploit side-channel attacks [3, 11] to extract sensitive data from the card memory.

Assumption 3

Users’ passwords are selected from a very constrained space and \(\mathcal {M}\) can brutal force it. To increase usability, most schemes (e.g., the ones in [14, 20, 23]) allow the users to choose passwords at their discretion during registration phase or password change phase. Generally, human beings are only capable of memorizing 5–7 different passwords, and tend to select popular passwords, use personal info to build passwords and reuse passwords. Therefore, user-chosen passwords follow the Zipf’s law [15] and come from a small space.

Note that, if all Assumptions 2 and 3 hold at the same time, then the attacker (with no need of other abilities) is able to impersonate any victim user and can trivially breach any scheme. Thus, it is common practice to do not assume that the attacker acquires a victim user’s both (all) authentication factors when analyzing security [6, 17, 20].

Also note that, an attacker might be an insider of the system, and it is practical for her to obtain both her own card and password. As shown in Sect. 5.2.3 of [16], such an attacker is really powerful and poses great threat to the security of the system. Overlooking the threats from this kind of attacker is likely to open large security loopholes. Many previous password authentication schemes employing smart cards (e.g., [8, 18, 21]) fail to achieve “two-factor security” or user un-traceability, when confronted with such a malicious insider. In this work, special attention are devoted to this kind of attacker and we show its perniciousness.

According to the abilities that are exploited by an attacker to launch a attack, four types of attackers can be further classified as follows:

  1. (I)

    Basic attacker. This attacker is only based on Assumption 1.

  2. (II)

    Attacker with the target user’s smart card. This attacker rest on the Assumption 1 and 2.

  3. (III)

    Attacker with the target user’s password. This attacker rests on the Assumption 1 and 3.

  4. (IV)

    Attacker with her own smart card and password. This attacker rests on the Assumption 1–3, being a malicious insider.

It is evident that the basic attacker is with the least capabilities, while the three remaining attackers are all realistic according to the aforementioned discussions. Consequently, any scheme aiming for practical use shall be able to withstand these four attackers. All the three schemes examined in this work are claimed to be secure under the above three assumptions. Actually, as we will show, this is not the case.

3 Cryptanalysis of Xu et al.’s Scheme

We first review Xu et al.’s scheme [22] proposed at ICICS’17, and then show that it is subject to a damaging security flaw: anyone can impersonate any legitimate user without guessing the victim’s password or obtaining the victim’s device.

3.1 A Brief Review of Xu et al.’s Scheme

Xu et al.’s scheme [22] is composed of four phases. For simplicity, the notations employed throughout this paper are listed in Table 1; We will comply with the abbreviations in Xu et al.’s scheme closely.

Table 1. Notations and abbreviations
Full size table

Server Registration Phase. This phase proceeds as follows:

  1. Step 1.

    \(S_j\Rightarrow RC\): \(\{e_j, n_j, SID_j\}\). \(S_j\) computes \(n_j = p_j\times q_j\) , \(\phi (n_j) = (p_j - 1)(q_j - 1)\) where both p and q are large prime numbers, then chooses a public key \(e_j (1< e_j < \phi (n_j))\) where gcd\((\phi (n_j), e_j) = 1\), and computes \(d_j \equiv e_j^{-1}\) mod \(\phi (n_j)\) as its private key.

  2. Step 2.

    \(RC\Rightarrow S_j\): \(\{Cer_j\}\). RC computes \(Cer_j = h(e_j \parallel SID_j \parallel n_j)^d\).

User Registration Phase. This phase proceeds as follows:

  1. Step 1.

    \(U_i\Rightarrow RC\): \(\{ID_i\}\).

  2. Step 2.

    \(RC\Rightarrow S_j\): \(\{d_i\}\). RC computes \(d_i = h(ID_i)^d\) mod \(n_j\).

Login and Authentication Phase. This phase proceeds as follows:

  1. Step 1.

    \(U_i\rightarrow S_j\): a random number \(T_i\).

  2. Step 2.

    \(S_j\rightarrow U_i\): \(\{e_j, n_j, Cer_j,A_j\}\) where \(A_j = h(T_i)^{d_j}\).

  3. Step 3.

    \(U_i\rightarrow S_j\): \(\{PID_i,R_i, S_i, x\}\). If \(Cer_j^e\) mod \(n_j\) equals \(h (SID_j \parallel e_j \parallel n_j)\) and \(A_j^{e_j}\) equals \(h(T_i)\), \(U_i\) computes \(PID_i = (ID_i \oplus a_i \parallel a_i)^{e_j}\) mod \(n_j\), \(R_i = h (ID_i)^r\) mod \(n_j\), \(x = h (m,R_i)\) and \(Si = d_i^{r-x}\) where \(a_i,r,m\) are three random numbers.

  4. Step 4.

    \(S_j\) computes \(S_i^{e_j}\) = \(h(ID_i)^{r-x}\), \(PID_i^{d_j}\) mod \(n_j\) = \(ID_i \oplus a_i\Vert a_i\), \(ID_i'\) = \(ID_i \oplus a_i\Vert a_i\). If \(S_i^{e_j}h(ID_i')^x\) equals Ri, \(S_j\) authenticates \(U_i\).

3.2 Flaws in Xu et al.’s Scheme

User Impersonation Attack.

Xu et al. claimed that their “proposed scheme can provide proper mutual authentication”, but we show this is not the case: Anyone can impersonate any legitimate user without guessing password or accessing the victim’s device:

  • Step 1. \(\mathcal {M}\) chooses a random number \(T_i\in _R (1, n_j]\);

  • Step 2. \(\mathcal {M}\) receives \(\{e_j, n_j, Cer_j,A_j\}\) that comes from \(S_j\);

  • Step 3. \(\mathcal {M}\) chooses a random number \(X\in _R (1, n_j]\);

  • Step 4. \(\mathcal {M}\) sets \(S_i=X\), \(R_i=X^{e_j}h(ID_i)^X\);

  • Step 5. \(\mathcal {M}\rightarrow S_j\): \(\{PID_i, R_i, S_i, x=X\}\), where \(PID_i\) is intercepted.

Note that the above attack will succeed, because \(\{PID_i, R_i, S_i, x=X\}\) will be accepted by the the service server \(S_j\). More specifically, according to attack Step 4, we have \(S_i^{e_j}h(ID_i)^x=X^{e_j}h(ID_i)^X\), which equals \(R_i\) and passes Step 4 of login phase. This demonstrates that even a Type-I attacker (see Sect. 2) can completely break the scheme.

Poor Repairability.

In Xu et al.’s scheme, there should be times that a user suspects (or realizes) that her smart card might be power analysed and the secret \(d_i=h(ID_i)^{d}~\texttt {mod}~n\) has been leaked. However, even if \(U_i\) has detected this abnormality and changes her password to a new one, no means can be employed to deter \(\mathcal {M}\) from using the master secret \(d_i\) to login the server \(S_j\). In other words, \(U_i\) cannot be easily repaired [17]. More detailedly, since \(d_i=h(ID_i)^d~\texttt {mod}~n\) is uniquely defined by \(U_i\)’s identity \(ID_i\) and RC’s long-term private key d, RC is unable to update \(d_i\) for \(U_i\) unless either \(ID_i\) or d is updated. Nevertheless, because d is usually utilized for all legitimate users of the entire system rather than only one user \(U_i\), it would be irrational and inefficient to change d to restore the security of a single user, i.e. \(U_i\). Furthermore, since \(ID_i\) is typically bound with \(U_i\) in many application systems, it is also unreasonable to change \(ID_i\) to address the problem. In summary, the repairability of Xu et al.’s scheme constitutes a realistic issue.

4 Cryptanalysis of Wu et al.’s scheme

Here we first review Wu et al.’s scheme [19]. This scheme is an improvement over existing schemes aims to attain user anonymity lacked in [7, 24]. Wu et al.’s scheme can preserve user anonymity, however, we observe that it still remains feasible for an attacker to break “truly two-factor security”. In addition, the scheme cannot provide sound repairability.

4.1 A Brief Review of Wu et al.’s scheme

Wu et al.’s scheme [19] is composed of four phases: initialization, registration, login and authentication, and one activity: password change. The notations and initial system parameters employed in Wu et al.’s scheme are same as employed in the scheme of Xu et al. (see Table 1).

Initialization Phase. Let \(k_{xy} (1 \le x, y \le n, x \not = y)\) be the common secret key of each pair of servers \((S_x, S_y)\) \((x \not = y)\), and s be their common parameter, \(k_y\) be the secret key of \(S_y\).

User Registration. This phase proceeds as follows:

  1. Step 1.

    \(U_i\Rightarrow S_y\): \(\{ID_i,HPW_i\}\), where \(HPW_i = h(PW_i \parallel b_i)\) and b is a random number.

  2. Step 2.

    \(S_y\Rightarrow U_i\): \(\{PID_i,B_1,B_2, s, h(\cdot )\}\). \(S_y\) selects \(PID_i\), then computes: \(B_{01} = h(PID_i \parallel k_y \parallel ID_{S_y})\), \(B_1 = B_0 \oplus HPW_i\), \(B_{02} = h(ID_i \parallel k_y \parallel ID_{S_y})\) and \(B_2 = B_{02} \oplus h(ID_i \parallel HPW_i)\), and stores \(ID_i\).

  3. Step 3.

    \(U_i\) inputs \((PID_i,B_1,B_2,B_3, s, h(\cdot ))\) into mobile device, where \(B_3 = b_i \oplus h(ID_i \parallel PW_i)\).

Login and Authentication Phase. This phase proceeds as follows:

  1. Step 1.

    \(U_i\rightarrow S_x\): \(M_1 = \{PID_i, C_1, C_2, C_3, C_5, SID_j, ID_{S_y}\}\). \(U_i\) inputs \(ID_i\) and \(PW_i\), then the device calculates \(b_i = B_3 \oplus h(ID_i \parallel PW_i)\) and \(HPW_i = h(PW_i \parallel b_i)\), \(C_1 = T_{r_U} (s)\), \(C_2 = B_1 \oplus HPW_i \oplus N_U\), \(C_3 = h(N_U) \oplus ID_i\), \(C_4 = B_2 \oplus h(ID_i \parallel HPW_i)\) and \(C_5 = h(C_1 \parallel N_U \parallel C_4)\), where \(r_U\) and \(N_U\) are two randomly chosen nonces.

  2. Step 2.

    \(S_x\rightarrow S_y\): \(M_2\) = \(\{PID_i,C_1,C_2,C_3,C_5,C_6, C_7,SID_j\}\). \(S_x\) computes \(C_6\) = \(T_{r_{S_x}}(s)\) and \(C_7\) = \(h(C_6\Vert k_{xy}\Vert SID_j)\), where \(r_{S_x}\) is a nonce.

  3. Step 3.

    There are further messages flows \(S_y\rightarrow S_x\): \(M_3 = \{C_8, C_9,\) \(C_{10}, C_{11}\}\) and \(S_x\rightarrow U_i\): \(M_4\) = \(\{C_6, C_9 \sim C_{12}\}\), but they have litter relevance to our discussions and are omitted.

4.2 Flaws in Wu et al.’s scheme

We now show the flaws of Wu et al.’s scheme [19]. Recall that the three assumptions listed in Sect. 2 are also explicitly made when Wu et al. analyzing Irshad et al.’s [7] and Zhu’s [24] schemes.

Smart Card Loss Attack.

Based on Wu et al.’s own security assumptions (i.e., the three ones in Sect. 2), we now cryptanalyze the security provisions of their scheme. More specifically, in what follows we assume that \(\mathcal {M}\) can extract the private data \(\{B_1, B_2, B_3, h(\cdot )\}\) kept in \(U_i\)’s smart card, and can also eavesdrop the messages \(\{PID_i, C_1, C_2, C_3, C_5, SID_j, ID_{S_y}\}\) exchanged between the parties. \(\mathcal {M}\) obtains \(U_i\)’s password \(PW_i\) as follows:

  • Step 1. Guesses the value of \(ID_i\) to be \(ID^*_i\) from dictionary space \(\mathcal {D}_{id}\) and the value of \(PW_i\) to be \(PW^*_i\) from dictionary space \(\mathcal {D}_{pw}\);

  • Step 2. Computes \(b_i^*=B_3 \oplus h(ID_i^*)^{PW_i^*}\), where \(B_3\) is revealed from \(U_i\)’s card;

  • Step 3. Computes \(N_u^*=C_2^*\oplus B_1\oplus h(PW_i\Vert b_i^*)\), where \(C_2\) is intercepted from the channel and \(B_1\) is revealed from \(U_i\)’s card;

  • Step 4. Computes \(C_3^*=h(N_u^*) \oplus ID_i^*\);

  • Step 5. Verifies the correctness of (\(ID_i^*, PW^*_i\)) by checking if \(C_3^*\) equals the intercepted \(C_3\);

  • Step 6. Repeats Steps 1–5 until the right (\(ID_i^*, PW^*_i\)) is found.

The time complexity of the attack is \(\mathcal {O}(|\mathcal {D}_{id}|*|\mathcal {D}_{pw}|*3T_H)\), where \(T_H\) is the running time for Hash operation. Recently, it has been found that user-chosen password follow the Zipf’s law and the dictionary size is very restricted, e.g., \(|\mathcal {D}_{id}|\le |\mathcal {D}_{pw}|\le 10^6\) [15]. Further, regarding the timings in Table 5 of [17], \(\mathcal {A}\) may figure out the password within 24.6 days on a common PC, or costs $30.36 and spends 16.37 h by using the Amazon EC2 C4.4X-large cloud computing service [2]. The above attack means that, once the smart card factor is breached, then the password factor will also be compromised. This indicates that truly two-factor security cannot be achieved in Wu et al.’s scheme.

Temporary Information Leakage Attack.

As session-specific info are generally of large volume and deemed less sensitive than long-term secret keys, the former will be much less well protected than the latter and thus more easily leaked (e.g., through improper erasing, memory leakage or even poor implementations). Therefore, it is desirable that the security impact of the leakage of such session-specific info can be limited to just session-specific secret keys, but not the long-term secret keys.

However, in Wu et al.’s scheme [19], the leakage of session-specific information will make the long-term secret key dangerous:

  • Step 1. \(\mathcal {M}\) somehow obtains the session-specific \(N_u\) during one session;

  • Step 2. Computes \(B_{01} = C_2 \oplus N_u=h(PID_i \parallel k_y \parallel ID_{S_y})\).

Note that, \(B_{01}=h(PID_i \parallel k_y \parallel ID_{S_y})\) is just \(U_i\)’s long-term authenticator. After obtaining \(B_{01}\), \(\mathcal {M}\) can further guess \(U_i\)’s passwords:

  • Step 1. Computes \(ID_i\) = \(C_3 \oplus h(N_u)\), where \(C_3\) is from open channel;

  • Step 2. Guesses the value of \(PW_i\) to be \(PW^*_i\) from space \(\mathcal {D}_{pw}\);

  • Step 3. Computes \(C_2^*=B_{01} \oplus h(PW_i^*\Vert b_i^*)\oplus N_u\), where \(B_{01}\) is obtained as shown above;

  • Step 4. Verifies the correctness of \(PW^*_i\) by comparing if \(C_2^*\) equals \(C_2\);

  • Step 5. Repeats Step 1–4 until the right value of \(PW^*_i\) is found.

The time complexity is \(\mathcal {O}(|\mathcal {D}_{pw}|*2T_H)\), which can be completed in 1.39 s on a common PC according to the timings that \(T_H\approx 0.693 \mu s\) (see Table 5 of [17]). That is, the leakage of session-specific info will lead to the leakage of user identity and passwords. This is rather dangerous.

5 Cryptanalysis of Leu-Hsieh’s Scheme

We now cryptanalyze Leu-Hsieh’s scheme [9].

5.1 Review of Leu-Hsieh’s Scheme

Due to space constraints, the details of the scheme are referred to [9].

5.2 Flaws in Leu-Hsieh’s Scheme

No User Anonymity.

With the concern of user privacy rising rapidly nowadays, user anonymity is becoming a primary feature to be considered in the design of authentication protocols, especially in wireless environments. In Leu-Hsieh’s scheme, the exchanged messages are different in every session due to the use of fresh random nonces and user identity is dynamic in every session by hiding the true identity \(ID_i\) into shadow identities \(CID_i\). In this way, anonymity service is claimed to be provided in [9] by arguing that an attacker \(\mathcal {M}\) “cannot distinguish between different sessions corresponding to a certain user and cannot obtain any clue to the real identity.” However, Leu-Hsieh’s scheme fails to consider that the attacker \(\mathcal {M}\) may be a malicious insider (i.e., a legitimate but malicious user – a type IV attacker, see Sect. 2). In the following we show that such a type IV attacker \(\mathcal {M}\) is able to breach \(U_i\)’s untraceability as follows:

  • Step 1. \(\mathcal {M}\) eavesdrops a login request \(\{P_{ij}, N_i\}\) sent by \(U_i\);

  • Step 2. \(\mathcal {M}\) calculates \(T_i=P_{ij}\oplus h(h(y)\Vert N_i\Vert SID_j)\), where h(y) is shared among all users and service serviers.

Note that, \(T_i=h(R_i\Vert x)\) is specific to \(U_i\) and static in all of user \(U_i\)’s login sessions, and thus it can be used to link the different session participated by \(U_i\), breaching the user untraceability.

The above procedure shows that, a type IV attacker (see Sect. 2) is capable of disclosing the activity of any legitimate user in the system without the sensitive info from user’s smart card. Instead, \(\mathcal {M}\) only needs the sensitive info from her own knowledge. This is a much weaker condition as compared with the condition that \(\mathcal {M}\) needs the sensitive info from \(U_i\)’s smart card. This is contrary to Leu-Hsieh’s claim that \(\mathcal {M}\) “cannot obtain any clue to the real identity.” Thus, their scheme cannot preserve user anonymity and is not a true dynamic-ID based scheme. Our attack highlights the seriousness of threat arising from malicious insiders.

Smart Card Loss Attack I.

We show that once \(\mathcal {M}\) obtains \(U_i\)’s smart card, a Type-I attacker \(\mathcal {M}\) can obtain \(U_i\)’s password \(PW_i\) as follows:

  • Step 1. \(\mathcal {M}\) extracts \(\{V_i, H_i, h(\cdot )\}\) from \(U_i\)’s smart card.

  • Step 2. \(\mathcal {M}\) picks a candidate \(PW_i^*\) from the password dictionary \(\mathcal {D}_{pw}\), and a candidate \(ID_i^*\) from the identity dictionary \(\mathcal {D}_{id}\).

  • Step 3. \(\mathcal {M}\) computes \(T_i^*=V_i\oplus h(ID_i^*\Vert h(b\Vert PW_i^*))\);

  • Step 4. \(\mathcal {M}\) computes \(H_i^*=h(T_i^*)\);

  • Step 5. \(\mathcal {M}\) examines the validity of \(PW_i^*\) by comparing if the computed \(H_i^*\) is equal to \(H_i\) which is extracted from the card memory.

  • Step 6. \(\mathcal {M}\) goes to Step 2 until the right \(PW_i\) is obtained.

The time complexity is \(\mathcal {O}(|\mathcal {D}_{id}|*|\mathcal {D}_{pw}|*(2T_H+T_X))\). Based on the results in [17], this attack is able to be carried out in a few days on a common computer. This attack has been given extensive attention is the literature [16, 17]. As shown in [13], Maitra et al.’s scheme [10], an improvement of Leu-Hsieh’s scheme [9], suffers exactly the same issue.

Smart Card Loss Attack II.

We further show that a Type-I attacker \(\mathcal {M}\) can obtain \(U_i\)’s password \(PW_i\) via another attacking procedure as follows:

  • Step 1. \(\mathcal {M}\) extracts \(\{B_i, Z_i, V_i, b, h(\cdot )\}\) from \(U_i\)’s smart card by side channel attacks [3, 11].

  • Step 2. \(\mathcal {M}\) picks a candidate \(PW_i^*\) from the password dictionary \(\mathcal {D}_{pw}\), and a candidate \(ID_i^*\) from the identity dictionary \(\mathcal {D}_{id}\).

  • Step 3. \(\mathcal {M}\) computes \(R_i^*=Z_i\oplus ID_i^* \oplus h(b\Vert PW_i^*)\);

  • Step 4. \(\mathcal {M}\) computes \(O_i^*=h(b\Vert PW_i^*)\oplus ID_i^*\oplus R_i^*\);

  • Step 5. \(\mathcal {M}\) computes \(A_i^*=h(T_i\Vert h(y)\Vert N_i)\), where \(N_i\) is from the open channel and h(y) from a legitimate yet curious user/server;

  • Step 6. \(\mathcal {M}\) computes \(Q_i^*=h(O_i^*\Vert A_i^*\Vert N_i)\);

  • Step 7. \(\mathcal {M}\) examines the validity of \(PW_i^*\) by comparing if the computed \(Q_i^*\) equls \(Q_i\) which is intercepted from the open channel.

  • Step 8. \(\mathcal {M}\) goes to Step 2 until the right \(PW_i\) is obtained.

The time complexity is \(\mathcal {O}(|\mathcal {D}_{id}|*|\mathcal {D}_{pw}|*(4T_H+3T_X))\). It can be carried out in a few days on a common computer according to the timings in [17]. Note that, our attack involves the parameter h(y) but not \(h(x\Vert y)\), which is different from Maitra et al.’s attack (see Sect. 6.3 of [10]). When compared with the above “smart card loss attack I”, this attack is less effective as it requires that \(\mathcal {M}\) colludes with a malicious insider. Still, this attack invalidates the claim of achieving truly two-factor security in [9].

No Forward Secrecy.

When analyzing their scheme, Leu and Hsieh do not consider (mention) forward secrecy. We now show that this desirable property cannot be preserved: Supposing an attacker \(\mathcal {M}\) manages to obtain the long-term keys h(y) and \(h(x\Vert y)\) from a compromised/malicious service server and eavesdropped the messages \(\{CID_i, P_{ij}, Q_i, N_i, N_j\}\) exchanged during \(U_i\) and S authentication process from the public channel. For convenience of presentation, assume it is \(U_i\)’s mth login. \(\mathcal {M}\) can calculate \(U_i\) and S’s session key during the jth communication as follows:

  • Step 1. \(\mathcal {M}\) calculates \(T_i\) = \(P_{ij}\oplus h(h(y)\Vert N_i\Vert SID_j)\), \(A_i\) = \(h(T_i\Vert h(y)\Vert N_i))\), where \(\{P_{ij}, N_i\}\) is from the open channel.

  • Step 2. \(\mathcal {M}\) computes \(h(b\oplus PW_i\oplus R_i)\) = \(CID_i\oplus h(T_i\Vert A_i\Vert N_i)\) and \(O_i\) = \(h(h(b\oplus PW_i\oplus R_i)\Vert h(x\Vert y))\), where \(\{CID_i, N_i\}\) is intercepted.

  • Step 3. \(\mathcal {M}\) calculates \(SK^m\) = \(h(O_i\Vert N_i\Vert N_j\Vert A_i\Vert SID_j)\), where \(\{N_i, N_j\}\) is from the open channel.

Once the session key \(SK^m\) leaks, the entire mth communication will be leaked to \(\mathcal {M}\). Maitra et al.’s scheme [10] suffers exactly the same issue.

6 Conclusion

Considerable efforts have been spent on designing an efficient, secure and privacy-preserving two-factor authentication scheme for multi-server environments under the assumption that smart cards can be extracted. Very recently, Xu et al., Wu et al. and Leu-Hsieh made three new attempts. However, through systematic evaluation we reveal that all of them are still subject to various serious defects. Most importantly, our results underscore some new challenges (e.g., attacks arising from the leakage of session-specific information and from malicious insiders) in devising a practical two-factor authentication scheme for multi-server environments.