#### Abstract

With the rapid development of mobile services, multiserver authentication protocol with its high efficiency has emerged as an indispensable security mechanism for mobile services. Recently, Ali et al. introduced a biometric-based multiserver authentication scheme and claimed the scheme is resistant to various attacks. However, after a careful examination, we find that Ali et al.’s scheme is vulnerable to various security attacks, such as user impersonation attack, server impersonation attack, privileged insider attack, denial of service attack, fails to provide forward secrecy and three-factor secrecy. To overcome these weaknesses, we propose an improved biometric-based multiserver authentication scheme using elliptic curve cryptosystem. Formal security analysis under the random oracle model proves that our scheme is provably secure. Furthermore, BAN (Burrows-Abadi-Needham) logic analysis demonstrates our scheme achieves mutual authentication and session key agreement. In addition, the informal analysis proves that our scheme is secure against all current known attacks and achieves desirable features. Besides, the performance and security comparison shows that our scheme is superior to related schemes.

#### 1. Introduction

Nowadays, millions of people enjoy various mobile services such as mobile shopping, mobile entertainment, and mobile learning, by using various mobile devices. Due to the openness of mobile network, when the users are enjoying great conveniences brought by mobile services, they simultaneously face a great deal of security threatens, such as diverse network attacks and privacy leaks. Authentication protocol plays a great role in protecting the security and privacy of users as an indispensable security mechanism for various mobile services. It provides mutual authentication, user anonymity, and establishes secure session key for server and users [1].

With the continuous expansion of the scale of mobile services, multiserver mode has been widely adopted by numerous mobile service application systems [2]. When the traditional single-server authentication schemes are applied to multiserver environment, it is extremely inconvenient for user to register himself with every server and keep many pairs of identity and password. To overcome this problem, multiserver authentication schemes have been introduced [3–10]. These schemes make the user registers once with registration center and keeps one pair of identity and password to obtain all the services. Multiserver authentication schemes are more attractive as high efficiency and convenience. But on the other hand, multiserver authentication schemes have more requirements for security. The user employs the same authentication information to access diverse servers. If the authentication information is compromised, it will bring tremendous damage to user’s assets. Besides, the malicious server may masquerade another server to defraud the user or impersonate user to access server based on the secret it has. This privileged insider attack should be overcome.

In the past 20 years, many multiserver authentication schemes using password and smart card have been put forward [11–16]. However, the smart card may be lost or stolen, and the malicious attacker can retrieve the data in smart card by side channel attack. It increases the risk of security breach [17]. To overcome this weakness, biometric authentication element has been added in authentication schemes in recent years because of its good characteristics. Three-factor authentication schemes that adopt password, smart card, and biometric facilitate better security.

Recently, some three-factor multiserver authentication schemes have been introduced. In 2010, Yoon et al. [18] introduced an efficient biometric-based multiserver authentication scheme using elliptic curve cryptosystem (ECC). Later on, Kim et al. [19] pointed out Yoon et al.’s scheme cannot resist smart card loss attack, forgery attack, and fails to provide forward secrecy. In 2015, Amin et al. [20] proposed a three-factor multiserver authentication scheme using bilinear pairing. Afterwards, Chandrakar et al. [21] proved Amin et al.’s scheme is susceptible to offline password guessing attack, impersonation attack, and fails to achieve user anonymity. He et al. [22] introduced a biometric-based multiserver authentication scheme using fuzzy extractor and ECC and claimed their scheme achieves intrinsically three-factor secrecy. But we observed He et al.’s scheme is susceptible to known session-specific temporary information attack and cannot detect wrong password and biometric immediately. In 2016, Wang et al. [23] presented a three-factor multiserver authentication scheme using hash function and fuzzy extractor. But Yang et al. [24] pointed out Wang et al.’s scheme cannot resist user impersonation attack and fails to achieve forward secrecy. In 2017, Kumari et al. [25] proposed a biometric-based multi-cloud-server authentication scheme using ECC and bio-hash function. However, Feng et al. [26] demonstrated that Kumari et al.’s scheme suffers from server impersonation attack and introduced an enhanced scheme. Unfortunately, we found Feng et al.’s scheme fails to achieve three-factor secrecy and suffers from known session-specific temporary information attack. Ali et al. [27] introduced a three-factor multiserver authentication scheme using symmetric encryption and ECC and claimed their scheme is resistant to a variety of security attacks. However, we found that Ali et al.’s scheme is not as secure as it claimed by demonstrating their scheme is vulnerable to a variety of serious security attacks.

Either the existing three-factor multiserver authentication schemes [18–30] have more or less vulnerabilities, or their communication and computation costs need to be improved. This moves us to design a secure three-factor multiserver authentication scheme with higher efficiency. Our contributions are summed up as follows.(1)We prove that Ali et al.’s scheme suffers from user impersonation attack, privileged insider attack, server impersonation attack, denial of service attack, and known session-specific temporary information attack. Besides, the scheme fails to achieve forward secrecy and three-factor secrecy.(2)We propose a novel biometric-based multiserver authentication scheme using ECC. Formal security analysis under the random oracle model proves our scheme is provably secure. BAN logic proof proves the completeness of our scheme. Moreover, informal analysis demonstrates our scheme achieves various desirable features and is resistant to all known attacks.(3)In addition, the performance and security comparison shows that our scheme achieves superior security properties. Moreover, our scheme has the least communication overhead and computation cost.

##### 1.1. Adversary Model

When evaluating a three-factor multiserver authentication scheme, the capacities of adversary are described as follows.(1) may be an external attacker or a privileged insider.(2) can fully control the public channel; namely, is able to interrupt, eavesdrop, forge, and modify the messages transmitted via public channel.(3) is able to enumerate all the values in in polynomial time, where denotes the password space and denotes the identity space [31].(4) is able to get user’s password by shoulder surfing. can retrieve the data in smart card by power consumption analysis. is able to get the biometric of user by a malicious terminal [32].(5)When evaluating three-factor secrecy, is able to get any two kinds of authentication elements at the same time but cannot get all [26].(6)When evaluating forward secrecy, can get the master key of* RC *or the secret key of server.

The user tends to choose an easy-to-remember password with low strength. The user identity usually is based on the predefined format. The identity and password may be of low entropy and can be easily guessed. According to the adversary model presented by Wang et al. [31], we assume the adversary is able to enumerate all the values in in polynomial time.

Three-factor secrecy denotes that if any two kinds of authentication elements are compromised, the attacker still cannot breach the other one and damage the security of the system [26]. Such a consideration is of practical significance. The adversary may get user’s password by shoulder surfing or the data in smart card via side channel attack. Moreover, the adversary is able to obtain the biometric of user by a malicious biometric-based terminal.

##### 1.2. The Organization of Paper

The structure of this paper is arranged as follows. We brief review and cryptanalyze Ali et al.’s scheme in Sections 2 and 3. Section 4 introduces a novel biometric-based authentication scheme for multiserver environment. We give the security proof and informal security analysis of the proposed scheme in Sections 5 and 6. Section 7 is security and performance comparison of the relevant schemes. Section 8 concludes the paper. In addition, we sum up the notations of this paper in Table 1.

#### 2. Review of Ali et al.’s Scheme

Ali et al.’s scheme consists of four phases: initial phase, server registration phase, user registration phase, login and authentication phase.

##### 2.1. Initial Phase

*RC* chooses its master key* x*. Then* RC* selects an elliptic curve group and a generator of .

##### 2.2. Server Registration Phase

enrolls with* RC* in the following steps.

*Step 1. *The server picks its identity and sends as a registration request to* RC* through the reliable channel.

*Step 2. *Upon receiving from ,* RC* computes and returns to through the reliable channel.

*Step 3. * keeps as secret.

##### 2.3. User Registration Phase

enrolls with* RC* in the following steps.

*Step 1. * picks his identity and password freely and imprints his biometric . sends the registration request to* RC* through the reliable channel.

*Step 2. *Upon receiving from ,* RC* computes , , , , where is a random number.* RC* stores in a smart card and transmits it to through the reliable channel.

*Step 3. * calculates and stores in his smart card.

##### 2.4. Login and Authentication Phase

and authenticate each other and establish a session key drawing support from* RC* as shown in Figure 1.

*Step 1. * attaches the smart card to a terminal, inputs and , and imprints . The smart card calculates and checks if . If the equation holds, proceed to the next step.

*Step 2. * computes , , , , where is a random number. sends to* RC* through the public communication channel.

*Step 3. *After receiving ,* RC* computes , , , , and compares with . If they are equal, proceed to the next step.

*Step 4. **RC* computes , , , , , where is a random number.* RC* sends to .

*Step 5. *Upon receiving , computes , , and checks if . If it holds, computes , , , where is a random number. sends to .

*Step 6. *Upon receiving , computes , , and checks if . If the equation holds, computes , . replaces with in his smart card and sends to .

*Step 7. *Upon receiving , computes , and checks if . If the equation holds, and authenticate each other and establish a session key successfully.

#### 3. Cryptanalysis of Ali et al.’s Scheme

In this section, we demonstrate that Ali et al.’s scheme is susceptible to several security attacks. Note that, we cryptanalyze Ali et al.’s scheme on the basis of the adversary capacities mentioned in Section 1.

##### 3.1. Forward Secrecy

The adversary compromises the master key* x*, and intercepts and from public channel. Then is able to retrieve the session key in the following steps.

*Step 1. *Compute , .

*Step 2. *Compute .

*Step 3. *Compute .

*Step 4. *Compute .

##### 3.2. User Impersonation Attack

The adversary gets ’s identity by shoulder surfing and ’s biometric by a malicious terminal and intercepts from public channel. Then performs user impersonation attack in the following steps.

*Step 1. * computes, , , , where is a random number. sends to* RC*.

*Step 2. *Upon receiving ,* RC* computes ), , , , obviously =. Then* RC* computes , , , , , where is a random number.* RC* sends to .

*Step 3. *Upon receiving , computes , , , obviously . Then computes , , , where is a random number. sends to .

*Step 4. *Upon receiving , computes , , , and sends to .

*Step 5. *Upon receiving , computes , , obviously . regards as legitimate user .

##### 3.3. Server Impersonation Attack

The adversary obtains ’s biometric and intercepts from public channel. Afterwards, performs server impersonation attack in the following steps.

*Step 1. * chooses two random numbers and computes , , , , , , , where is a random binary string whose length is equal with . sends to .

*Step 2. *Upon receiving , computes , , , obviously ; regards as the server . computes , . replaces with in his smart card, sends to .

*Step 3. *Upon receiving , computes . establishes a session key with successfully.

##### 3.4. Denial of Service Attack

In the process of server impersonation attack, the adversary delivers a forged dynamic identity to . believes its validity and stores it in the smart card. When intends to access the server, sends a login request with to* RC.* As is a random binary string rather than the encryption results of and a random number,* RC* rejects the login request. In addition, cannot login any server, unless reregister with* RC*.

##### 3.5. Privileged Insider Attack

In authentication phase of Ali et al.’s scheme, and new dynamic identity is exposed to . With and , who acts as a privileged insider can masquerade user to access server or impersonate the other server to defraud . As their attack procedures are the same with aforementioned user impersonation attack and server impersonation attack, we omit it.

##### 3.6. Known Session-Specific Temporary Information Attack

Known session-specific temporary information attack is a cryptanalysis under the circumstance the temporary secret value such as random number is leaked and the adversary tries to breach the current session key. Suppose that obtains ’s biometric and intercepts from public channel. In the case that random number is compromised. can get the session key in the following steps.

*Step 1. *Compute .

*Step 2. *Compute .

*Step 3. *Compute .

*Step 4. *Compute .

*Step 5. *Compute .

##### 3.7. Three-Factor Secrecy

In case that ’s smart card and biometric are breached, the adversary is able to acquire ’s password via the following steps.

*Step 1. *Guess the value of to be from identity dictionary space; guess the value of to be from identity dictionary space.

*Step 2. *Compute ; check if . If the equation holds, it shows that is ’s real identity and is ’s correct password.

*Step 3. *Repeat Steps 1 and 2, until finds the correct and .

When the smart card and biometric of user are compromised, the attacker is able to breach the password. On the other hand, is able to impersonate user successfully as long as he gets the biometric of user. Ali et al.’s scheme fails to achieve three-factor secrecy.

#### 4. The Proposed Scheme

In this section, we present a biometric-based remote user authentication scheme for multiserver environment. The proposed scheme includes the following five phases.

##### 4.1. Initial Phase

*RC* chooses an elliptic curve group of order* p *and a generator of .* RC* generates a random number and computes .* RC* publishes and keeps as secret.

##### 4.2. Server Registration Phase

The server registers with* RC* in the following steps.

*Step 1. * picks its identity freely and delivers to* RC* through the reliable channel.

*Step 2. *Upon receiving ,* RC* calculates and returns to via the reliable channel.

*Step 3. * keeps as secret.

##### 4.3. User Registration Phase

The user registers with* RC* in the following steps. As described in Figure 2.

*Step 1. * chooses his identity and password freely and imprints his biometric . calculates , where is a random number. Afterwards, is transmitted to* RC* through the reliable channel.

*Step 2. *Upon receiving ,* RC* computes , , , where .* RC* stores in a smart card and transmits it to via the reliable communication channel.

*Step 3. * stores in the smart card.

##### 4.4. Login and Authentication Phase

The user and the server authenticate each other and establish a session key by the aide of* RC* in the following steps. As shown in Figure 3.

*Step 1. * attaches the smart card to a terminal, enters and , and imprints . Then the smart card calculates , and checks if . If this equation holds, the smart card computes , , , , where is a random number. is transmitted to* RC *via the public channel.

*Step 2. *After receiving ,* RC* computes , , and checks if . If the equation holds,* RC* computes , , . is transmitted to .

*Step 3. *After receiving , computes , and checks if is equal to . If it holds, computes , , ), , where is a random number. is transmitted to .

*Step 4. *After receiving , computes , , and checks if . If the equation holds, computes and sends to .

*Step 5. *After receiving , computes and checks if . If the equation holds, establishes a session key with successfully.

##### 4.5. Password Update Phase

changes his original password to a new one in the following steps. As described in Figure 4.

*Step 1. * attaches his smart card to a terminal, enters and , and imprints . The smart card calculates , and checks . If it holds, the smart card asks the user to input a new password.

*Step 2. * enters his new password . Then the smart card calculates , , . The smart card stores in the smart card and removes .

#### 5. Security Proof

##### 5.1. Formal Security Analysis

We describe the formal security model for three-factor multiserver authentication schemes proposed by Feng at al. [26] and prove the proposed scheme is provably secure in this model.

###### 5.1.1. Security Model

*Participants*. There are three types of principals in multiserver authentication scheme, that is, the user , the server , and the registration center* RC*. Every kind of participant has many instances*. *We use , , and denote them*.*

*Queries*. The abilities of adversary are modeled by asking the following queries.

*Execute *. The query simulates the eavesdropping attack. It returns the transcripts of the transmitted messages in public channel to the adversary.

*Send *. It allows the adversary masquerades as a principal to send a message . The oracle handles the message and gives a response to the adversary.

*Reveal **.* This query discloses the session key of instance or to the adversary. However, if instance or does not establish a session key, it returns an invalid symbol .

*Corrupt (*). This query reveals one or two authentication factors of user to the adversary. Note that the adversary cannot get all the three authentication factors at the same time, as he has no difference with a legitimate user.

When , it returns the password of to the adversary.

When , it returns the data in ’s smart card.

When , it returns the biometric of *.*

*Corrupt *. This query simulates the forward secrecy attack; it answers the master key* x* or the secret key to the adversary.

*Test *. The query is used to evaluate the semantic security of session key. The adversary is allowed to make the query no more than once. If the instance or is fresh (see below), the oracle flips a coin . If , it returns the session key to the adversary. If , it returns a random string of the same size to the adversary.

*Freshness*. The instance or is fresh, if the following conditions are satisfied.(1)The instance is accepted and establishes a session key.(2)The instance and its partner that belongs to the same session are never made a reveal query.(3)The adversary never asks the Corrupt () query*.*(4)The adversary never makes a Corrupt () query*.*

*Semantic Security*. The adversary makes a series of aforementioned queries in polynomial time. Eventually, the adversary deduces the value of involved in test query to be . We denote the advantage that the adversary breaches the semantic security of our scheme as Our protocol is secure, if for any adversary the advantage is negligible.

###### 5.1.2. Formal Security Proof

The formal security proof of the proposed scheme relies on the presumed hardness of the elliptic curve Diffie–Hellman problem defined below.

*The Elliptic Curve Diffie–Hellman Problem (ECDHP)*. Let be an elliptic curve group of order* p*. And* P* is a generator of . For given , where , , it is infeasible to compute in polynomial time.

Theorem 1. *We use P to denote the proposed scheme. There is an adversary who tries to break the semantic security of our scheme. We assume that is able to make at most Send-queries, Execute queries, Hash queries, Bio-hash queries, and Encryption/Decryption queries in polynomial time t. Then we have*

*where is the bit length of hash output. is the bit length of Bio-hash output. is the bit length of symmetric encryption output. The password dictionary space is*

*.*is the probability that the adversary solves the in polynomial time*t.**The Proof*. The advantage of breaking our scheme is deduced via a series of games from to . denotes the event that the adversary correctly guesses the value of involved in test query in game . And is the probability of the event .

: it represents the real attack; obviously, we have

By a further transformation, we have

: in this game, the hash oracle, bio-hash oracle, and encryption/decryption oracle are simulated by maintaining a hash list , a bio-hash list *, *and an encryption/ decryption list . For a hash query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a random number , returns to the adversary, and adds the item () to . The bio-hash oracle is simulated in the same way. For an encryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from cipher text space, returns to the adversary, and adds the item () to . For a decryption query , if there is an item () in , the oracle returns to the adversary. Otherwise, the oracle chooses a value from plaintext space, returns to the adversary, and adds the item () to . Besides, all oracles involved in security model are simulated in this game. Obviously, this game has no difference with . We have

: we avoid the occurrence of some collisions in this game. is indistinguishable from *, *unless the following conditions occur.(1)A collision happens in the output of hash function; the probability is less than .(2)A collision happens in the output of bio-hash; the probability is no more than .(3)A collision happens in the output of symmetric encryption; the probability is less than .(4)A collision happens on or ; the probability is no more than .

So we have

: in this game, we avoid the situation that the adversary correctly guesses or without making the corresponding hash query. The probability is at most . Thus,

: this game averts the execution when the adversary correctly guesses the authentication value directly. The probability is at most . We get

: in this game, we avoid the occurrence that the adversary has computed the authentication value with the help of Corrupt (). The following three cases are included.

*Case 1. *The adversary queries Corrupt () and Corrupt (). To derive , the adversary still needs to get the biometric. The probability that he correctly guesses the biometric is at most

*Case 2. *The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the password is less than .

*Case 3. *The adversary queries Corrupt () and Corrupt (). The probability that he correctly guesses the parameter is no more than .

The probability that the adversary gets is less than . We have

: in this game, we compute the session key using the private oracles instead of the hash oracle . As the private oracles is unknown to the adversary. We have

has no difference with , unless the adversary makes a hash query ; we denote the event as . We have

: we simulate the random self-reducibility of ECDHP in this game. For , through selecting randomly in , we can obtain the item containing with the probability . Since the event denotes that the adversary makes a hash query . We have

Through the series of games above, we have

##### 5.2. Security Proof Using BAN Logic

In this section, we use BAN logic [33] to prove that our scheme achieves mutual authentication and establishes a secure session key. Table 2 describes the symbols and rules of BAN logic.

The goals that our scheme should achieve are as follows. Goal 1: Goal 2: Goal 3: Goal 4:

We idealized the proposed scheme as follows. M1: M2: M3: M4:

The initiative assumption of our scheme is given as follows. S1: S2: S3: S4: S5: S6: S7: S8: S9: S10: S11:

The proof of our scheme is performed as follows.

From M1, we have(1)

According to S1, (1) and message meaning rule, we obtain(2)

According to S2, (2) and nonce-verification rule, we obtain(3)

According to S3, (3) and jurisdiction rule, we obtain(4)

From M2, we have(5)

According to S4, (5) and message meaning rule, we obtain(6)

According to S5, (6) and nonce-verification rule, we obtain(7)

According to S6, (7) and jurisdiction rule, we obtain(8)

From M3, we have(9)

According to S7, (9) and message meaning rule, we obtain(10)

According to S8, (10) and nonce-verification rule, we obtain(11)(**Goal 1**)

According to S9, (11) and jurisdiction rule, we obtain(12)(**Goal 2**)

From M4, we have(13)

According to (8), (13) and message meaning rule, we obtain(14)

According to S10, (14) and nonce-verification rule, we obtain(15)(**Goal 3**)

According to S11, (15) and jurisdiction rule, we obtain(16)(**Goal 4**)

#### 6. Informal Security Analysis

In this section, we demonstrate that our scheme achieves user anonymity, forward secrecy, and three-factor secrecy and is resistant to several known attacks.

##### 6.1. User Anonymity

In our scheme, user’s identity is protected with symmetric encryption. As the key and is unavailable. cannot get any information about from the transmitted messages in public channel. In addition, cannot link two distinct messages to one user due to the existence of random number. Our scheme achieves user anonymity.

##### 6.2. Forward Secrecy

Suppose that compromises the master key of* RC* and intercepts , from public channel. Then tries to compute the session key . can get and by computing , . To get , needs to derive from ,. It means that has to solve the elliptic curve Diffie–Hellman problem. It is absolutely impossible. Our scheme achieves forward secrecy.

##### 6.3. Offline Password Guessing Attack

In the case that extracts from ’s smart card and obtains ’s biometric , tries to acquire the password of in the following steps.

*Step 1. *Choose an identity from identity dictionary space and a password from password dictionary space.

*Step 2. *Compute . Check .

*Step 3. *Repeat Steps 1 and 2, until finds a pair of satisfying .

However, even if finds a pair of satisfying , he cannot determine whether they are the real identity and password of . The proposed scheme employs the fuzzy validation of inputted authentication information. When and the identity and password both are 64 bits, there will be pairs of identity and password satisfying . The probability that each candidate is equal to the pair of identity and password of is , this is negligible. In our scheme, it is unable to reveal the identity and password of user even if both the smart card and biometric are compromised.

##### 6.4. User Impersonation Attack

Assume that tries to impersonate user and forge a login requested message . computes , where is a random number. To compute , needs to know . However, cannot get any information about from the transmitted messages in public channel, as is protected with symmetric encryption and hash function. In the case that the smart card is compromised, tries to retrieve from . As , needs to get at first. To compute , requires ,,. That is to say, cannot get , unless he obtains all the three authentication factors at the same time. This is beyond the capacity of . The proposed scheme is secure against user impersonate attack.

##### 6.5. Server Impersonation Attack

Suppose that intercepts and from public channel and tries to masquerade as the server by sending a forged message to . At first, generates a random number and computes , . Next, to compute , still needs and As analyzed above, cannot obtain . To derive , the adversary needs to compromise the master key* x* or break the elliptic curve Diffie–Hellman problem. It is beyond the capacity of . Our scheme is secure against server impersonation attack.

##### 6.6. Replay Attack

In our scheme, we adopt random numbers instead of timestamp to guarantee the freshness of exchanged messages. It decreases the communication overhead and avoids clock synchronization problem. In the following four cases, we demonstrate that our scheme is resistant to replay attack.

*Case 1. *Suppose that the adversary intercepts from public channel and sends it to* RC* as a new login request.* RC* and deal with this message and return to . Then needs to generate a response message and sends it to . As are unavailable, the adversary is unable to return a valid to . The protocol finally aborts.

*Case 2. *In case replays to , as is unable to return a valid to , the protocol finally aborts.

*Case 3. *If intercepts from public channel and replays to . The user deals with this message and finds that . The protocol aborts.

*Case 4. *Assume that intercepts from public channel and replays to . The server deals with this message and finds that . The protocol aborts.

##### 6.7. Known Session-Specific Temporary Information Attack

Suppose that random number or is compromised; the adversary computes or . It still requires and to compute the session key . However, are unavailable. It is unable to compromise the session key in our scheme.

##### 6.8. Privileged Insider Attack

On one hand, the password and biometric of are protected with hash function in registration phase. On the other hand, the user never reveals any authentication information (password, biometric, or the parameters of smart card) to* RC* or server in login and authentication phase. Hence, our scheme is resistant to privileged insider attack.

##### 6.9. Three-Factor Secrecy

As analyzed above, in the absence of any one authentication factor, cannot impersonate user successfully. In the following three cases, we demonstrate that if any two authentication factors of user are compromised, the adversary cannot breach the other one.

*Case 1. *Suppose that ’s smart card and biometric are compromised. As analyzed above, the adversary cannot reveal ’s password via offline password guessing attack.

*Case 2. *Suppose that ’s smart card and password are compromised. As the biometric is protected by means of hash function, is unable to retrieve from .

*Case 3. *Suppose that ’s biometric and password are compromised. The adversary tries to reveal the parameters stored in the smart card, where is a random number, , , . As are unavailable. The adversary is unable to reveal any data of smart card.

#### 7. Security and Performance Comparison

We compare our scheme with other biometric-based multiserver authentication schemes using ECC [22, 25–27]. The results of comparison indicate that our scheme satisfies all the security requirements, while it requires the minimum communication and computation overhead.

Table 3 shows the results of security analysis. It indicates that only our scheme is secure against various known attacks and provides desirable security properties such as forward secrecy, user anonymity, three-factor secrecy, and efficient wrong password and biometric detection. The other schemes [22, 25–27] suffer from more or less security vulnerabilities.

Table 4 gives the computation costs of related schemes at login and authentication phase. More specifically, denotes computing a hash function. denotes one symmetric encryption. denotes one symmetric decryption. denotes one point multiplication on elliptic curve group. The computing overhead of lightweight operation “XOR” is negligible compared with other operations. Our scheme requires in user end, requires in* RC*, and requires in server end. And the total computation cost of our scheme is . The total computation costs of related schemes [22, 25–27] are , , , , respectively.

Table 5 summarizes the computing time of different cryptographic operations [34]. The hash function SHA-256 and SHA-512, the symmetric algorithm AES-128 and AES-256, the elliptic curve cryptosystem using P521, and Curve-25519, respectively, are employed to estimate the running time of related schemes. We compare our scheme with related schemes for two scenarios as shown in Figure 5. The Scenario 1 adopts the comparatively efficient algorithms, that is, SHA-256, AES-128 encryption/decryption, and elliptic curve cryptosystem using Curve25519. In this scenario, our scheme requires 432.57 ms; the related schemes [22, 25–27] require 576.286 ms, 576.208 ms, 576.312 ms, and 504.518 ms, respectively. Scenario 2 uses the comparatively time-consuming algorithms, that is, SHA-512, AES-256 encryption/decryption, and elliptic curve cryptosystem using P521. In this scenario, our scheme requires 6319.022 ms; the related schemes [22, 25–27] require 8424.704 ms, 8424.512 ms, 8424.768 ms, and 7371.894 ms, respectively. The computation overhead of our scheme is superior to other schemes in both scenarios.

Figure 6 illustrates the communication overheads of related schemes. To evaluate the communication overhead, we suppose that the identity of user, timestamp, random number are 64 bits; a point on is 160 bits. When using the hash function SHA-256 and the symmetric algorithm AES-128, the communication overhead of our scheme is 2112 bits; the communication overheads of relevant schemes [22, 25–27] are 4224 bits, 3392 bits, 4224 bits, and 2624 bits, respectively. When adopting the hash function SHA-512 and the symmetric algorithm AES-256, the communication overhead of our scheme is 3392 bits; the communication overheads of relevant schemes [22, 25–27] are 7808 bits, 5696 bits, 7808 bits, and 3392 bits, respectively. Our scheme has the lowest communication overhead compared with other schemes.

#### 8. Conclusions

In this paper, we prove that Ali et al.’s scheme is susceptible to various security threats, such as impersonation attack, denial of service attack, and known session-specific temporary information attack. Furthermore, we propose an efficient ECC-based three-factor authentication scheme for multiserver environment. BAN logic proof and the formal security analysis under random oracle model are used to prove the completeness and security of the proposed scheme. Besides, the informal analysis demonstrates that our scheme surmount the vulnerabilities in Ali et al.’s scheme and provides desirable attributes like forward secrecy and three-factor secrecy. In addition, the performance and security comparison shows that our scheme provides strong security, while it has minimal communication overhead and computation cost.

#### Data Availability

The data used to support the findings of this study are included within the article.

#### Conflicts of Interest

The authors declare no conflict of interest.

#### Acknowledgments

This research was funded by the National Key Research and Development Program of China under Grant No. 2018YFB0803605 and the National Natural Science Foundation of China under Grant No. 61873069.