More secure smart card-based remote user password authentication scheme with user anonymity

In 2009, Xu et al. designed a smart card-based user authentication scheme. It was found at risk of offline password guessing and forgery attacks as proved by Sood et al. They also proposed an improvement to Xu et al.'s scheme with a view to fix its defects. Parallel to Sood et al.'s work, Song also identified that a domestic but illicit user of the system can impersonate other innocent users. Later, Chen et al. claimed that designs of Sood et al.'s and Song's schemes are not flawless, and they built a scheme over both of these schemes. In 2013, Li et al. observed absence of forward secrecy and lack of password validity test by smart card in Chen et al.'s scheme. They also asserted password change phase of Chen et al.'s scheme as unfriendly and inefficient and gave rise to a new scheme. However, we discover many flaws including offline password guessing and impersonation threats in Li et al.'s scheme. We find that none of the aforementioned schemes provide user anonymity. Therefore, we propose a user authentication scheme with user anonymity. The analysis shows that our scheme retains merits of its predecessor schemes, is free from faults identified in these schemes, and also offers some extra features that make it more suitable for practical applications. Copyright (c) 2013 John Wiley & Sons, Ltd.