User authentication plays an important role in generic IoT networks that prevents malicious parties from gaining access to various services offered by remote servers. As user-end IoT devices are typically resource-constrained, how to design secure and efficient multi-factor authentication schemes remains hard to tackle. Very recently, instead of using traditional asymmetric encryption algorithms such as RSA, EIGamal encryption, a number of attempts have been made to employ chaotic maps as building blocks to design multi-factor authentication schemes for IoT environments. In this paper, we first revisit two foremost chaotic maps based multi-factor user authentication schemes presented by Roy et al. and Truong et al., and show that, despite being armed with a formal security proof, none of them can achieve the goal of “truly multi-factor security”. Besides, we find Roy et al.'s scheme fails to achieve the claimed feature of forward secrecy, while Truong et al.'s scheme suffers from stolen verifier attack and violation of user anonymity. Further, we indicate how to mend these weaknesses and propose an enhanced protocol with high efficiency. Security and efficiency analysis suggest that our scheme outperforms existing schemes and is practical for real applications of IoT environments.