A robust anonymous biometric-based authenticated key agreement scheme for multi-server environments

In order to improve the security in remote authentication systems, numerous biometric-based authentication schemes using smart cards have been proposed. Recently, Moon et al. presented an authentication scheme to remedy the flaws of Lu et al.’s scheme, and claimed that their improved protocol supports the required security properties. Unfortunately, we found that Moon et al.’s scheme still has weaknesses. In this paper, we show that Moon et al.’s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Furthermore, we propose a robust anonymous multi-server authentication scheme using public key encryption to remove the aforementioned problems. From the subsequent formal and informal security analysis, we demonstrate that our proposed scheme provides strong mutual authentication and satisfies the desirable security requirements. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.


Introduction
Nowadays security has becoming an urgent issue for the distributed networks. The remote user authentication scheme allows the transmission of secret data via public channels, thus is an important cryptographic tool for distributed networks. In 1981, Lamport [1] proposed the first password-based authentication scheme. After that, considerable amount of work on password-based authentication schemes have been put forward for different applications [2,3]. However, passwords are vulnerable to be broken in a short time by using dictionary guessing attack. To solve this problem, smart cards with password-based authentication schemes [4][5][6][7][8][9][10][11][12] are introduced to enhance the security of user authentication. Unfortunately, there are still some problems when the smart card is stolen and the stored data is leaked [13][14][15].
The biometric keys, such as fingerprint and iris, are considered to be a unique identifier of a user, thus have many advantages. For example, the biometric keys cannot be forgotten PLOS  or lost, are difficult to copy or share, and are not easy to forge or guess. Additionally, one can carry biometric keys at anytime and from anywhere. With the security requirements of the distributed networks and the good security performance and advantages of the biological characteristic, biometrics authentication protocols come to be more crucial and widely deployed . In 2002, Lee et al. [16] designed the first biometrics-based remote user authentication scheme. In 2004, Lin-Lai [17] [18] pointed out that Lin-Lai's scheme is insecure against server spoofing attack and illustrated an improved scheme. Rhee [19] demonstrated that Khang-Zhang's scheme is vulnerable to impersonation attack and offline password guessing attack. Later, Li-Wang [20] designed an efficient three-factor remote user authentication scheme which only uses symmetric cryptographic primitive and the hash operation. However, in 2011, Das [21] exhibited that Li-Wang's scheme is insecure against man-in-the-middle attack and does not provide proper certification. Furthermore, he designed a new certification scheme based on biometric characteristics. In 2014, Li et al. [25] pointed out that Das et al.'s scheme is vulnerable to forgery attack and stolen smart card attack, and put forward a three-factor remote user authentication scheme. After that, Chaturvedi et al. [26] demonstrated that Li et al.'s scheme doesn't resist known session specific temporary information attack and doesn't protect user's privacy. They also proposed a novel authentication and key agreement protocol to overcome the weaknesses of Li et al.'s scheme.
In 2014, Chuang-Chen [27] proposed an efficient lightweight three-factor authentication protocol for multi-server environment which requires only the hash operation. After that, Mishra et al. [28] showed that Chuang-Chen's scheme is insecure against the denial-of-service attack, smart card stolen attack, server spoofing attack and impersonation attack. In addition, they proposed a new biometric-based multi-server authentication protocol so as to overcome the weaknesses of Chuang-Chen's scheme. In 2015, Lu et al. [29] illustrated that Mishra et al.'s scheme is insecure against server spoofing attack and impersonation attack, and can not provide forward secrecy. They introduced two independent three-factor authentication schemes [29,31] for multi-server architecture, and claimed that the improved scheme has strong security. Unfortunately, Moon et al. [30] showed that Lu et al.'s scheme [29] is vulnerable to outsider attack and user impersonation attack, and put forward an enhanced protocol which fixes the flaws of Lu et al.'s scheme.
Unfortunately, we found that Moon et al.'s biometric-based remote user authentication scheme still has some flaws. In this paper, we firstly showed that Moon et al.'s scheme is vulnerable to insider attack, server spoofing attack, user impersonation attack and guessing attack. Moreover, we exhibited that their scheme is not anonymous for the user. Then we proposed an improved authentication scheme for multi-server environment to fix their design flaws. After that, we show that our scheme is robust against all known attacks through the formal and informal security analysis. Finally we demonstrate that the improved scheme has the best secure functionality and is computational efficient.
The rest of the paper is organized as follows. In section 2, we introduce some preliminary knowledge. Section 3 briefly reviews Moon et al.'s biometric-based remote user authentication scheme. Section 4 shows the design flaws in Moon et al.'s scheme. In order to eliminate the shortcomings discussed in section 4, we propose an enhancement authentication protocol in section 5. Section 6 analyzes the security of the proposed scheme, and Section 7 compares the performance of the enhanced scheme with other related schemes. Finally, we conclude in section 8.

Preliminaries
This section elaborates the definitions of one-way hash function and BioHashing, and the security model.

Definition
One-way hash function. A one-way hash function h: {0, 1} Ã ! {0, 1} n takes an arbitrary-length input x 2 {0, 1} Ã , and produces a fixed-length output h(x) 2 {0, 1} n , called the message digest. The hash function has the following attributes: • Computationally, it is easy to compute y = h(x) if x and h(Á) are specified.
• It is almost impossible through polynomial time t to know two inputs x 1 and x 2 , such that BioHashing. BioHashing technique [37] is designed to reduce the probability of denial of access while keeping the false acceptation performance. Inputing the biometric feature set and a seed which represents the "Hash key", BioHashing generates a vector of bits. More precisely, with the help of a uniform distributed pseudo-random numbers generated by giving a secret seed, the biometric vector data x 2 R n is reduced down to a bit vector b 2 {0, 1} l with l the length of the bit string (l n) through BioHashing.

Security model
In this paper, we adopt the security model proposed by Abdalla et al. [38] to prove the security of our protocol.
• Participants. An oracle p t S j denotes an instance t of a party S j , p u U i denotes the instance u of U i , and p v RS denotes the instance v of RS. • Partnering. The partner of an instance p u U i of U i is the instance p t S j of S j and conversely. The partial transcript of all exchanged messages between U i and S j is unique, and is said as a session ID sid u Ui for the present session in which p u U i participates.
• Freshness. p t S j or p u U i is fresh, only if the session key SK is not leaked to A.
• Adversary. In the ROR model, A models the real attack via the following oracle queries. To breach the security of the authentication protocol, A is able to access the queries given below: • Execute(π t , π u ): The Execute query helps A obtain the messages transmitted between two honest participants; this query models an eavesdropping attack.
• Send(π t ; x): The Send query corresponds to an active attack. π t executes the protocol and responds with an outgoing message after receiving a message x from A.
• Reveal(π t ): The A executes Reveal query to reveal of session keys. If the session has been accepted, π t returns the session key SK as its response that is computed between π t and its partner, otherwise returns a null value.
• CorruptSC(π t ): It is about modeling smart card loss attack and outputs the information stored in SC i .
• Test(π t ): At some point, the adversary A can make a Test query to an oracle P t . P t flips an unbiased coin b and responds with the real agreed session key SK if SK is established and fresh, if b = 1; otherwise it returns a random sample generated according to the distribution of the session key. Otherwise, it returns ?.
Semantic security of the session key. In an experiment, the adversary A is challenged to differentiate between an instance's real session key SK and a random key. A can continue querying Test queries to either the server instance or the user instance. The outcome of Test query must be consistent with the random bit b. Eventually, A terminates the game simulation and outputs a bit b 0 for b. we say A wins if the adversary guesses the correct b.
Let E denotes the event that A wins the game. Then, the advantage of A breaches the semantic security of our proposed authenticated key-agreement (AKE) protocol, say P, is computed as Adv ake P ðAÞ ¼ j2pr½E 0 À 1j. We say that the protocol P is a secure multi-server authentication and key agreement protocol in the ROR sense if Adv ake P is negligible. Random oracle. To prove the security of the proposed protocol, the one-way hash function h(Á) is treated as a random oracle(say Hash oracle), and is provided to the adversary A and every participant. The Hash oracle is simulated by a two-tuple (u, v)

Review of Moon et al.'s scheme
In this section, we briefly review Moon et al.'s scheme, which consists of four phases: registration phase, login phase, authentication phase and password change phase. Table 1 summarizes the notations used in this paper.

Registration phase
The registration and authentication phases are shown in Fig 1. In order to get the access to different services provided by the servers, a user must register himself through the registration server. U i firstly selects an identity ID i and password PW i and inputs biometrics BIO i . 1. Using the password and the biometrics, the smart card computes PWD i = h(PW i ||H(BIO i )) and sends < ID i , PWD i > to the registration server through a secure channel.
2. Upon receiving the message < ID i , PWD i >, the registration server computes > onto a smart card and sends the smart card to U i .

Login phase
During the login phase, the user U i inserts his smart card into the smart card reader, inputs his identity ID i and password PW i , and imprints biometric information BIO i . Upon receiving an input, the smart card uses the following steps to perform a login session: 1. The smart card computes PWD i = h(PW i ||H(BIO i )) and verifies V i ? = h(ID i || PWD i ). If succeeds, it executes the next step. Otherwise the session aborts.

The smart card generates a random number n 1 and computes
3. The smart card transmits the login request message < Y i , Z i , M 1 , M 2 , M 3 , T 1 > to the server S j through a public channel, where T 1 is the current timestamp.

Authentication phase
After receiving the authentication request < Y i , Z i , M 1 , M 2 , M 3 , T 1 > from the user U i , the server S j executes the following steps to authenticate each other.
1. The server S j firstly checks whether |T c − T 1 | < ΔT, then uses its pre-shared key PSK and . If they are not equal, S j rejects the login request and terminates the session. Otherwise, the server generates a random number n 2 and computes

Password updating
In this phase, U i can change his password any time when he wants. In order to change password, the user performs the following steps: 1. U i inserts his smart card into the smart card reader and then inputs ID i and PW i and biometrics BIO i .

The smart card
is the same as the stored V i . If they are the same, SC i accepts U i to enter a new password

Security analysis of Moon et al.'s scheme
Although Moon et al. claimed that their scheme satisfies the required security requirements, we found that their scheme still has some weakness, i.e., fail to resist the insider attack, server spoofing attack, guessing attack and impersonation attack. Moreover, their scheme is not anonymous for users.

Lack of user anonymity
User anonymity means that the adversary cannot obtain or track the identity of the user according to the message transmitted via the public channel, which is an important property to protect the privacy of users. In Moon et al.'s scheme, during authentication phase, Note that all the information transmitted in public channel can be intercepted by the adversary. The parameter

Insider attack
Insider attack means that an insider can get the sensitive credentials from the information stored in RS. In Moon et al.'s scheme, during user registration phase, U i submits his identity ID i and PWD i to RS. In order to prevent duplicate user registration, RS has to store the user's ID. If an adversary obtains the list of ID, it would cause great devastation. The adversary can impersonate himself as U i as described in the following user impersonation attack. 4. U i computes the session key SK ij = h(n 1 ||n 2 ||K||T 2 ) and believes that he is communicating with S j .

Server spoofing attack
Therefore, a legal but malicious server S k can masquerade as another server S j to fool any legal user and Moon et al.'s scheme is vulnerable to server spoofing attack.

Guessing attack
Moon et al.'s scheme is vulnerable to identity guessing attack, which is a critical concern in their scheme. If the adversary can extract the secret value W i from the legal user's smart card by some means and get the value of M 1 from public channel, the adversary can easily find out ID Ã i by performing the guessing attack, in which each guess ID i can be verified as the following steps.
1. The adversary chooses ID Ã i and computes K ¼ hððW i È ID Ã i ÞjjSID j Þ.

The adversary verifies the correctness of ID
3. The adversary repeats the above steps until a correct ID Ã i is found.

User impersonation attack
In a remote user communication scheme, anyone should be considered as a legal user if a user has valid authentication credentials or could be capable of constructing an effective authentication request message. In Moon et al.'s protocol, an adversary can impersonate a valid user as described below.
1. As enlightened in insider attack and guessing attack mentioned above, an adversary obtains U i 's personal identifiable information ID i . He also extracts the secret values W i and X i from the legal user's smart card by some means. 5. The server S j computes M 6m = h(SK ij ||ID i ||n 2 ||T 3 ) and verifies it with the received value of M 6m . It is obvious that they are equal, so the sever authenticates successfully the legitimacy of the user U i and the login request message information is accepted.
6. After mutual authentication, the server S j and the malicious adversary who masquerades as the user U i agree on the common session key as SK ij = h(n 1 || n 2 ||K||X i ).

Our proposed scheme
In this section, we propose an improved remote user authentication scheme to fix the drawbacks in Moon et al.'s scheme. Our proposed protocol consists of four phases: registration, login, mutual authentication with key-agreement and password change. Fig 2 describes our proposed scheme.

Registration phase
When the remote user authentication scheme starts, the user U i and the server S j need to perform the following steps to register with the registration server(RS).

Server registration.
To register with the system, a server S j submits his identity SID j and his public key Pub j which can be obtained by all the users. Then S j sends his identity SID j and his public key Pub j to RS. Upon reception, RS shares the secret key PSK with S j and publishes S j 's public key Pub j .

User registration.
1. U i freely selects his identity ID i which uniquely identifies the user's identity, password PW i and scans his biometrics BIO i . Then U i computes IDB i = h(ID i ||H(BIO i )), PWD i = h(PW i || H(BIO i )) and sends < h(ID i ), IDB i , PWD i > to RS on a secure channel.

Upon reception, RS computes
3. RS sends SC to U i over a secure channel.

Login phase
1. U i sends the login request by inserting smart card (SC), and inputting ID i , PW i and BIO i .

SC computes PWD i = h(PW i ||H(BIO i )) and then checks whether the condition
If the result is negative, the login session can be aborted. Otherwise, SC generates a random number n 1 and computes K = h((W i È IDB i ) È h(ID i ||n 1 )), M 1 ¼ E Pub j ðID i jjn 1 Þ, Z i = h(n 1 ||ID i ||K||T 1 ) and sends < M 1 , Z i , T 1 > to the server S j as the login request message.

Password changing phase
This procedure is invoked whenever a user (U i ) wants to update his password with a new password PWD Ã i , without through a private channel or communicating with RS. 1. U i inserts smart card SC and inputs ID i , PW i and BIO i .

SC computes PWD i = h(PW i ||H(BIO i )) and then verifies the condition
If the condition doesn't hold, the request can be dropped.

U i chooses a new password PW Ã i and then computes PWD
Thus the smart card finally contains the parameters fV Ã i ; W i ; hðÁÞ; HðÁÞg.

Security analysis of the proposed scheme
In this section, we use Burrows-Abadi-Needham logic (BAN-logic) [39] to verify the completeness of our scheme, then we prove the security of the scheme through formal and informal analysis.

Verifying the proposed scheme with BAN logic
The BAN logic introduced by Burrows et al. is a formal method of analyzing the security features of the information exchange protocol. It helps determine whether the exchanged information is credible, whether it can prevent eavesdropping or both. In this paper, we use BAN logic to prove that a user and a server share a session key after successfully running the protocol. We first introduce the BAN logic notations used in this paper in : If P believes that K is the shared key of P and Q, and P receives the message X encrypted with K, then P believe that Q has sent message X.

Jurisdiction rule: PjQ)X ;PjQjX
PjX : If P believes that Q has the right to control X and P believes that Q also trusts X, then P trusts X.

PjQjX
: If P believes that X is fresh and P believes that Q has sent X, then P believes that Q believes X.

Freshness-conjuncatenation rule: Pj#ðX Þ
Pj#ðX ;Y Þ : If P believes that X is new, then the information of (X, Y) is also fresh.

Notations Description
P| X P believes the statement X is true P ⊲ X P sees X P| * X P once said that X or has sent a message containing X P ) X P has control over X #X X is fresh P ! K Q P and Q can communicate using the shared key K, only P, Q or a trusted third party know K The formula X is encrypted by K À ! K S j K is the public key of P, only P know the corresponding secret key K −1 https://doi.org/10.1371/journal.pone.0187403.t002 Robust anonymous biometric-based authenticated key agreement scheme 4. Scheme analysis a 0 . S j ◁ fn 1 ; ID i g Pub j Since À ! Pri j S j , only S j can get the value of ID i and n 1 . One can get the value of K unless he has the true Pri j and PSK at the same time.
We employ Message-meaning rule according to p 5 and a 1 to drive: According to a 2 and p 3 , we apply the Freshness-conjuncatenation rule and Nonce-verification rule to get the following information: According to a 3 and p 8 , we employ Jurisdiction rule and belief rule to obtain: According to a 4 and S j ◁ ðU i ! SK ij S j ; n 2 ; T 3 Þ ID i ; T 3 , we employ Message-meaning rule to obtain: According to a 5 and p 4 , we apply Nonce-verification rule and Freshness-conjuncatenation rule to obtain: Finally, we employ The belief rule to obtain: According to g 1 and p 9 , we utilize Jurisdiction rule to obtain: According to p 6 and U i ⊲ (ID i , n 1 , n 2 , T 2 ) K , we employ Message-meaning rule to obtain: According to a 7 and p 1 we apply Nonce-verification rule and Freshness-conjuncatenation rule to derive: According to a 8 and p 1 , p 3 , p 4 , p 6 and SK ij = h(n 1 ||n 2 ||K||ID i ), we apply Freshness-conjuncatenation rule and Nonce-verification rule to derive: According to g 3 and p 10 we utilize Jurisdiction rule to obtain:

Formal analysis
We use provable security to prove the security of our scheme. The security proof is based on the model of RSA-based password authentication. Theorem 1. Let A be an adversary that run in polynomial time t against our protocal P in the random oracle, D be a uniformly distributed password dictionary and l denotes the number of bits in the biometric key BIO i , |Hash| and|D| denotes the range space of hash function and the size of D, respectively. If an attacker A makes q h Hash queries, q send Send queries, then, the advantage of A of breaking the SK-security of P is Adv ake P q 2 h jHashj þ q send 2 lÀ 1 :jDj þ 2Adv RSA ðtÞ, where Adv RSA (t) is the advantage that an adversary A solves the problem about the factor decomposed of great number.
Proof. The proof is finished by executing a sequence of hybrid games G i . For each game G i , let E i denote the event that the adversary succeeds in guessing the bit b in game G i .
Game G 0 : This game corresponds to the real attack in the random oracle model. Thus, we can write Adv ake Game G 1 : By querying Execute oracle, this game simulates A's eavesdropping attack. After that, the adversary queries Test oracle, and decides whether the outcome of the Test oracle is the real session key SK or a random number, where SK ij is computed from SK ij = h(n 1 ||n 2 ||K|| ID i ). Note that PSK and IDB i are secret to S j and U i . The adversary has no knowledge about PSK, IDB i and ID i , thus eavesdropping of message can not increase the chance of winning for the adversary in G 1 . So we have Game G 2 : The difference between G 2 and G 1 is that we add the simulations of the Send and the Hash oracles. G 2 models an active attack where A tries to decide a participant into accepting a forged message. A can make several Hash queries to find the collisions. Note that the messages {M 1 , Z i , T 1 } and {M 2 , M 3 , T 2 } are associated with timestamp T 1 , T 2 , random numbers n 1 and n 2 , and ID i of U i , hence there is no collision when querying the Send oracle. According to the birthday paradox, we have Game G 3 : In this game, G 3 simulates the CorruptSC oracle which models the smart card lost attack. Since the chosen password has low entropy, A may try online dictionary attack with the information obtained from the smart card. In addition, A may try to obtain biometrics key B i from information collected from the smart card SC i . Our protocol P uses BioHash, which extracts at most l nearly random bits, therefore the probability of guessing biometric key B i 2 {0, 1} l by A is approximated as 1 2 l . If the number of wrong password inputs is limited by the system, probabilities can be estimated as follows: Game G 4 : This game models an attack wherein A has to compute the real session key SK ij = h(n 1 ||n 2 ||K||ID i ) using K, ID i from the eavesdropping messages {M 1 , Z i , T 1 } and {M 2 , M 3 , T 2 }. A can not compute K = h((W i È IDB i ) È h(ID i ||n 1 )) and ðID i jjn 1 Þ ¼ E Pri j ðM 1 Þ as ID i , Pri j and IDB i are unknown. A also needs to derive n 1 and n 2 from M 1 and M 2 , respectively. We then have stolen by an adversary and the stored information < V i , W i , h(Á), H(Á) > on it are extracted. Then, the adversary may try to get ID i , PW i , BIO i from the extracted information. However, adversary cannot obtain any valuable information from these values, where V i = h(h(ID i )|| PWD i ) and W i = h(h(ID i )||PSK) È IDB i , since all the important parameters such as ID i and PW i are protected by a one-way hash function. The adversary cannot obtain any login information using the smart card stored parameters V i and W i . At the same time guessing the real identity ID i and password PW i is impractical. Therefore, the proposed protocol is secure against smart card stolen attack. 6.3.6 Replay attack. If an adversary has intercepted all the communication message < M 1 , Z i , T 1 > and < M 2 , M 3 , T 2 >, he tries to replay them to U i or S j to masquerade as a legal user. However, once the message is replayed, the server can immediately detect the attack and reject the request due to the apply of timestamp. Hence, our scheme is secure against replay attack.

No verification table
In the proposed scheme, the registration server and application servers do not store the password and the biometrics database of the user. Therefore, even if an adversary steals the information stored in RS, he still cannot get ID i , PW i , BIO i or other valid information of users. S j does not store the password or the biometrics table of users as well. Therefore, even if an adversary steals the database from RS, he still cannot obtain user's sensitive information of users.
6.4.1 User masquerade attack. Assume an adversary steals a smart card from a legal user and wants to get service by perpetrating user impersonation attack. If an adversary forges messages so as to impersonate as U i , he needs to build a login request message < M 1 , . Conversely, the adversary cannot compute the messages M 1 and Z i without user's private information ID i and H(BIO i ). At the same time, the adversary has to go through login phase before sending login request information. During login phase, SC computes PWD i = h(PW i ||H(BIO i )) and then verifies if V i ? = h(ID i ||PWD i ) is correct. Unless the adversary enters the correct credentials, the process will be terminated. Therefore, the adversary certainly requires ID i , PW i and BIO i for any furthermore computations. However, the probability of obtaining correct ID i , PW i and BIO i is negligible.
6.4.2 Server impersonation attack. Unlike Moon et al.'s protocol, the server S j not only keeps unique long-term key PSK, but also contains the key pair < Pub j , Pri j >. Note that the key pair of each server is distinctive, and Pri j is known to only server S j . Consider a scenario where an adversary captures < M 1 , Z i , T 1 > and tries to impersonate valid server by responding with message < M 2 , M 3 , T 2 >. The values of ID i , K and n 1 are prerequisite. However, adversary cannot yield either of the values without having the knowledge of Pri j . Though, the adversary cannot get the right values of ID i , K and n 1 , if the adversary forges the massage < M 2 , M 3 , T 2 >. Upon receiving the response message < M 2 , M 3 , T 2 >, U i can identify it as a malicious attempt due to the non-equivalence of message M 0 3 ? ¼ M 3 . Thus, our proposed protocol is secure against server impersonation attack.

Forward secrecy.
In our improved protocol, the session key is SK ij = h(n 1 ||n 2 ||K|| ID i ), and the values of the long term private key of the servers vary from server to server and are not shared with any registered U i . Assume that the adversary has obtained the long term key PSK, he still cannot compute a valid session key without the secret parameters ID i and n 1 , which are protected by Pub j and are decryptable only with Pri j . Moreover, the parameters n 1 and n 2 are random for each session. Therefore, the session key is considered to be safe even though the long term private key of the server is compromised.

Functional analysis
We perform a comparative analysis of previous schemes, which is illustrated in Table 3. From the table, we can find that the proposed scheme is more secure and provides more functionality requirements than the other related schemes. Moreover, the proposed scheme achieves all resistance requirements.

Performance analysis
Now we compare the computational costs and execution time between the proposed scheme and the other related schemes. For the evaluation of the computational costs, let T h , T Re , T Rd , T sym and T epm refer to the execution time of one-way hash, RSA encryption, RSA decryption, symmetric key encryption/decryption operation and complexity of executing an elliptic curve point multiplication operation. According to Kilinc et al.'s [40] estimation, the average running time of T h is about 0.0023ms, T Re is 3.8500ms, T Rd is 0.1925ms, T sym is 0.1303 ms and T epm is 2.229ms. Table 4 illustrates the comparative performance of our improved scheme and previously proposed schemes. The time consumption of our proposed scheme and of the other related schemes is listed in Table 4. The results shows that the proposed scheme is the most computationally inexpensive one among those schemes based on public key cryptography [31][32][33][34]. Note that although our proposed scheme costs more time than rest of the schemes [27][28][29][30], it is more secure than these schemes. To sum up, only the proposed scheme provides both the computation efficiency to accomplish mutual authentication and key agreement, and the basic security properties against the known threats. The rest of schemes either are vulnerable to various attacks [27][28][29][30][31], or need more time than our scheme [31][32][33][34].

Conclusion
In this paper, we firstly analyzed the security of Moon et al's scheme, and demonstrated that their scheme is vulnerable to the known internal attack, guess attack and impersonation attack. Moreover, their scheme is found not anonymous for the user. To withstand these drawbacks, we proposed an improved biometric-based authentication scheme for multi-server environment and proved that the improved scheme provides secure authentication through the formal security analysis using Burrows-Abadi-Needham logic (BAN-logic) and random oracle model. Moreover, we have shown that our scheme is robust against all known attacks through the informal security analysis. The functional and performance analysis shows that the improved scheme has the best secure functionality and is computational efficient.