In order to enhance the security in wireless communication, authentication schemes come to be more crucial and widely deployed recently, especially those which are referred to as multi-factor biometric authentication that base on password, biometrics, and smart card protections. A new scheme in this way was proposed in 2010 by Li and Hwang. Then Das extended the work of Li et al. and made an improvement of their weak scheme in 2011. However, in 2012, Younghwa An demonstrated that Das's protocol failed to achieve mutual authentication for the server and the user. In this paper, it is described that Younghwa An's scheme cannot withstand the following two attacks. (i) It is still vulnerable to replay attack, then an adversary can masquerade as the legal server. (ii) It cannot provide user anonymity and resistance to user masquerading attack, because an adversary can execute the re-registration process by intercepting the IDi in the login phase. Therefore, an improvement to Younghwa An's scheme is presented in this paper. Then, security formal analysis of the modified scheme using the Burrows–Abadi–Needham logic is given, which demonstrates that the modified scheme with slight high computation costs can protect against the several possible attacks. Copyright © 2014 John Wiley & Sons, Ltd.