Security Analysis of an Anonymous Authentication Scheme Based on Smart Cards and Biometrics for Multi-server Environments

User authentication is an important technology for E-commerce, especially when it is done by using smart cards. Authentication schemes based on smart cards can guarantee that a user using the smart card is legal and has the authorization to access resources (eg., a bank account or a remote server) behind the smart card. Due to its usefulness, authentication schemes based on smart cards have been widely researched in recent years. In 2014, Choi introduced a security enhanced anonymous multi-server authenticated key agreement scheme using smart card and biometrics. Kuo et. al recently found that Choi’s scheme is insecure against card losing attack and made an improvement to deal with the problem. However, in this paper, we will show that Kuo et. al’s new scheme made the situation even worse. In their new scheme, any server having communicated with and received information from a card of a user can impersonate the user and enjoy the service (eg., on-line shopping) from the server on behalf of the original user without the card on-hand. We conduct a detailed analysis of flaws in their scheme in the hope that no similar mistakes are made in the future. An improved scheme is left as a future work.