• multi-server;
  • password authentication protocol;
  • smart card;
  • impersonation attack;
  • server-spoofing attack


In a multi-server environment, a user only needs to register at the registration center once instead of repeatedly registering in each server. After registration, the user can access the resources of any of the servers in the system. Many protocols have been proposed for the same. Recently, Geng–Zhang, Zhu et al., and Yoon–Yoo each proposed a multi-server authentication scheme. They claimed that their schemes are secure and can withstand various attacks. However, after analyses, we found that their schemes are deficient. In this paper, we first demonstrate the deficiencies of these three protocols in turn and then show our improvement on Geng–Zhang's protocol. Our improvement makes use of both the user's and the server's secrecy to achieve mutual authentication. This results in a two-pass multi-server authentication scheme. We have analyzed its security with respect to several factors such as mutual authentication, perfect forward and backward secrecy, and prevention of smart-card-lost attack. Moreover, almost all of the parameters required for a user to log on to a server can be pre-computed. This is very important for a low-energy mobile computing device. That is, our improvement is not only one of the most efficient and secure schemes in this area but also suitable for mobile device. Copyright © 2011 John Wiley & Sons, Ltd.