Next Article in Journal
Performance Analysis of Different Gun Silencers
Next Article in Special Issue
Federated Reinforcement Learning in IoT: Applications, Opportunities and Open Challenges
Previous Article in Journal
Deep Learning for Microstructural Characterization of Synchrotron Radiation-Based Collagen Bundle Imaging in Peri-Implant Soft Tissues
Font Type:
Arial Georgia Verdana
Font Size:
Aa Aa Aa
Line Spacing:
Column Width:

A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing

Key Laboratory of Trustworthy Distributed Computing and Service (MoE), Beijing University of Posts and Telecommunications, Beijing 100876, China
RIOH High Science and Technology Group, Beijing 100088, China
School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen 518055, China
Author to whom correspondence should be addressed.
Appl. Sci. 2023, 13(7), 4425;
Submission received: 11 February 2023 / Revised: 9 March 2023 / Accepted: 14 March 2023 / Published: 30 March 2023
(This article belongs to the Special Issue Research on Security and Privacy in IoT and Big Data)


The rapid development of mobile computing (e.g., mobile health, mobile payments, and smart homes) has brought great convenience to our lives. It is well-known that the security and privacy of user information from these applications and services is critical. Without the prevention provided by an authentication mechanism, safety vulnerabilities may accumulate, such as illegal intrusion access resulting in data leakage and fraudulent abuse. Luckily, the two-factor authentication (2FA) protocols can secure access and communication for mobile computing. As we understand it, existing 2FA authentication protocols weaken security in the pursuit of high efficiency. How efficiency can be achieved while preserving the protocol’s security remains a challenge. In this study, we designed a robust and effective 2FA protocol based on elliptic curve cryptography (ECC) for authentication of users and service providers. We proved the robustness (respectively, the effectiveness) of the presented protocol with the heuristic analysis and security verification provided by the ProVerif tool (respectively, with a performance comparison based on six schemes). Performance comparisons in terms of message rounds, communication, and computation overheads showed that our scheme was superior to the exiting schemes or comparable as a whole; i.e., only two rounds, 1376 bits, and 1.818 ms were required in our scheme, respectively. The evaluation results showed that the proposed 2FA protocol provides a better balance between security and availability compared to state-of-the-art protocols.

1. Introduction

With the rapid development of mobile application services using mobile computing, a variety of mobile applications (e.g., e-mail, social networks, online shopping, playing videos, and mobile games) are becoming more and more practical, which not only enhances people’s ways of life but also brings them more convenience [1]. It is worth mentioning that data security and privacy in these services are vulnerable to various threats. The Check Point researchers declared in an analysis report that about 100 million users’ private data were leaked due to illegal intrusion from multiple Android applications, which included real-time databases, push notifications, and cloud key storage, and these leaked data may become “fat meat” in the eyes of malicious actors [2,3]. Attention must be given to security and privacy issues as soon as possible.
The two-factor authentication mechanism (i.e., password + smart card) can achieve user identity verification and session key agreement through protocol interaction. Legal users can access data securely via the session key, thus effectively protecting data security and privacy. However, existing two-factor authentication (2FA) protocols have a fly in the ointment. Given that mobile devices may have constrained resources, many 2FA protocols sacrifice security for higher efficiency and availability.
From the perspective of security, the issue is that the network communication entities in 2FA are subject to diverse attacks, such as impersonation attacks and privileged insider attacks. The schemes in [4,5] do not apply advanced technical means, such as multi-factor authentication and the technology of custom dictionaries, and cannot resist key-compromised user impersonation attacks and password-guessing attacks [6,7,8].
From the perspective of efficiency, to enhance computational efficiency and diminish the communication overhead, earlier researchers tried to design a practical authentication and key agreement (AKA) protocol by using the hash function and symmetric cryptography (e.g., [9,10,11]). Gope et al. [9] put forward a lightweight privacy-preserving authentication protocol in which the server does not need to carry out any time-consuming search operations to identify the tag. In addition, it does not need to store a secret key in the tag device. Yang et al. [10] proposed an efficient, perfect forward secrecy-enabled AKA protocol on the basis of a lightweight hash function and XOR operation. Das et al. [11] developed a remote user authentication protocol based on dynamic ID that allows the user to select and update their passwords randomly and does not maintain a verifier table. Nevertheless, it was found that the scheme in [12] could not provide forward secrecy to secure the session key.
Public-key cryptography technology can be used to enhance the security of the AKA protocol [12]. These public-key cryptography technologies (such as ECC [13], RSA [14], and bilinear pairings [15]) are becoming widely used in the design of AKA protocols [7,16,17], making it possible to enhance the safety of the session key and preserve user’s anonymity, etc. However, given the authentication performance, using a large number of public-key cryptography techniques throughout the process often leads to greater communication/storage consumption costs and lacks practicality. Accordingly, designing a 2FA protocol that balances security and availability is a challenge.

1.1. Related Work

Since the first 2FA protocol [18] was presented in 1981, hundreds of research studies on 2FA protocols for mobile computing have been undertaken, such as on client–server (C/S) architecture [16,17,19,20] and multi-server environments [21].
On the one hand, for the design of the technical protocol, Durlanik et al. [16] proposed a 2FA protocol implementing a public key exchange mechanism with ECC for the session initiation protocol (SIP). They stated that the memory requirements and total execution times of the proposed protocol were greatly improved compared to non-elliptic approaches. For multi-server environments, Chatterjee et al. [21] introduced a modified authentication protocol employing symmetric key encryption–decryption, the hash function, and a Chebyshev chaotic map and proved that the user can only use a single identity and password to manage authentication for different servers.
On the other hand, to enhance the security of the 2FA protocol, Wang [22] provided a design philosophy, a corresponding solution, and a stronger attack model for 2FA protocols. Later, Wang et al. [19] investigated the difficulty of designing identity-based privacy protection 2FA protocols. To enable trusted users (such as doctors or clinicians) to access sensor data from patients using wireless body area networks in the healthcare IoT, Fotouhi et al. [20] designed a lightweight 2FA protocol. Additionally, security proof results showed that the presented protocol offered forward secrecy and could resist common attacks, including privileged insider attacks.
Furthermore, on the basis of cloud services, Vivekanandan et al. [23] proposed a three-factor mobile user authentication protocol for distributed multimedia in 2020. They stated that their protocol provides extra characteristics, such as user choice-based service provider registration, initial user identity registration, and user revocation. Although the protocol [23] can resist various known attacks, it has low authentication efficiency due to the high computational overhead.
To effectively achieve remote communication between users of specific medical services and service providers, Hsu et al. [24] designed a three-factor, user-controlled, single-sign-on scheme with privacy protection and fast authentication. The results of the performance comparison indicated that their scheme had more security attributes and the lowest cost. However, unlike other schemes that store credentials on the server side, this scheme stores large quantities of user credentials on the client side, which results in low communication efficiency.
For end-to-end communication in 5G-enabled narrow-band IoT networks, Hsu et al. [25] proposed a privacy-preserving authenticated key exchange protocol for a multi-server architecture that allows mobile users to log on to multiple servers with an easy-to-remember password and then compute a session key. Although they used elliptic curve cryptography with a small key size to improve communication efficiency, the protocol bears the risk of the session key being easily obtained by adversaries.
In 2021, in order to resist offline dictionary guessing attacks and continuous leakage of secrets from identity servers, Zhang et al. [26] put forward a password-based threshold single-sign-on authentication protocol for mobile users. In addition, they designed a hybrid mechanism and mixed it with the proposed protocol to effectively thwart online dictionary guessing attacks. However, their solutions are not satisfactory in terms of performance and are not suitable for large-scale applications.
For distributed mobile cloud environments, Vivekanandan et al. [27] put forward a privacy protection user authentication protocol using blockchain technology. By means of security analysis methods (e.g., BAN logic, informal analysis, the scyther tool, and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool), they examined the proposed protocol in relation to various common attacks and found that the proposed protocol could resist all known attacks. Similarly to [26], Sastry and Reddy’s scheme also has the problem that its low performance is not conducive to enhancing the authentication phase efficiently.
To preserve user privacy in the IoT healthcare system, Lin et al. [28] designed a smart card-based authentication protocol with a multi-server architecture. However, we found that no timestamp was used, and so the proposed protocol could not resist denial of service (DoS) attacks. On the basis of extended chaotic maps, Meshram et al. [29] presented a 2FA protocol where a new value S B i is stored in the server during the authentication procedure. However, this protocol cannot resist desynchronization attacks. Despite the fact that user anonymity can be ensured with the protocols from [28,29], they cannot offer user un-traceability, since the messages in the proposed protocol contain various continual values with which attackers can guess the identities of users easily. Additionally, as the users’ private credentials are stored directly in the card without being shielded, Lin et al.’s scheme [28] is vulnerable to stolen smart card attacks.
In 2022, in order to lessen the operation costs and hardware overhead caused by card readers, Meher and Amin [30] designed a multi-factor authentication protocol that does not use smart cards and which is user-friendly and robust. Moreover, the proposed protocol addressed the problem of smart card loss/theft. The authors analyzed their authentication protocol in its response to several security threats, and the results showed that their scheme was safe.
For the multiple service providers in a 6G-assisted intelligent medical environment, Le et al. [31] proposed a three-factor (i.e., smart card, password, and biometrics) authentication protocol with time-limited characteristics. In their scheme, service providers and patients can establish healthcare communications effectively and securely. However, user credentials are stored on the server side, which has potential risks. Moreover, the protocol is vulnerable to password-guessing attacks.
Considering the security threats from physical attacks, physically unclonable functions (PUFs) that can resist physical attacks are widely used to design robust authentication protocols [32,33]. These two research works both claimed that the proposed schemes could resist physical attacks, such as cloning attacks and physical tampering attacks.

1.2. Motivations and Contribution

In practical terms, a 2FA protocol (password + smart card as the two authentication factors) is supposed to offer comprehensive security and various desired characteristics. Table 1 shows the four essential security goals [34] that a 2FA protocol must meet.
However, current state-of-the-art 2FA protocols do not meet at least one of the four presented security goals. For instance, according to the acknowledged criteria and heuristic analysis of this paper, the protocol in [35] cannot offer user un-traceability, the protocols in [36,37] cannot resist password-guessing attacks or provide session-key security, and the protocol in [38] is vulnerable to counterfeiting attacks. Similarly, using a heuristic analysis with detailed attack steps, Shin et al. [39] found that the static key and the client’s password in the protocols in [40,41] can be obtained by any attacker. To enhance security and maintain high efficiency, we developed a robust 2FA protocol for mobile computing. The key contributions of this paper are as follows:
Design of a 2FA protocol for mobile computing
The “Fuzzy-Verifiers” [42] and “Honeywords” [42] techniques, which can be used to construct a fuzzy password verifier and effectively resist password-guessing attacks, were applied in our protocol. Further, based on the hash function and ECC, we designed a 2FA protocol that supports user registration, mutual authentication, and user password updating.
The semantic security of the 2FA protocol
The semantic security of the session key was proved with a security proof in our protocol. Additionally, through heuristic analysis, we demonstrated that the proposed protocol meets the ten security evaluation criteria. Furthermore, our protocol’s entity authentication, message confidentiality, and session key security were confirmed using the ProVerif [43] tool.
Performance analysis of the 2FA protocol
A comparative analysis of the functionality, communication, and computation cost of the proposed protocol was conducted with six common related protocols; i.e., those of Roy et al. [37] (IEEE IoTJ’18), Islam et al. [5] (IEEE IoTJ’18), and so on. A better balance between security and availability was achieved in the proposed protocol according to the comparison results.

2. Preliminaries

In this section, some indispensable preliminaries are presented to facilitate an easy understanding of the following sections.

2.1. System Model

As shown in Figure 1, the system model for the 2FA protocol consists of two entities: the user and the service provider. Note that the blue line corresponds to the registration phase and the green line to the mutual authentication phase. In the registration phase, the secret key value and the long-term key are generated by the service provider. When a user registers with the service provider, the registration request is sent to the service provider by the user, and then the service provider creates a smart card, which is sent to the user to enable them to complete the registration operation.
Following the mutual authentication phase, a user with a smart card sends a login request to the service provider, and the service provider then verifies this user according to the received login request. After that, the service provider computes a session key and then conveys the relevant message to the user. Lastly, when receiving the message from the service provider, the user authenticates the identity of the service provider and re-computes the session key.

2.2. Notations

To facilitate understanding among researchers, some notations used in the 2FA protocol are explained in Table 2.

2.3. Adversary Model

In the existing adversary models presented in [42,44,45,46,47,48,49,50,51,52], the communication channel between the communicating parties can be controlled by the adversary, who can initiate malicious operations, such as intercepting, eavesdropping on, and modifying transport messages. In terms of the forward secrecy, A can also be admitted and corrupt valid parties to obtain long-term keys. In addition, for various reasons (e.g., improper erasure), A may attain a previous session key. The capabilities of the adversary in 2FA protocols are described below:
  • By means of power analysis or other side-channel techniques, the parameters preserved in the smart card of the user can be obtained by the adversary A ;
  • A can intercept, eavesdrop on, and modify transmitted messages in the public channel;
  • A can enumerate all pairs P W i , I D i in D P W , D I D in polynomial time, where D I D and D P W represent the spaces of the identifier and password, respectively;
  • A can also register as a legal user in cases in which anyone can register;
  • A may be able to obtain previous session keys (e.g., through digital forensic techniques [42]) due to unsuitable erasure;
  • When evaluating the forward secrecy, A is assumed to have obtained the long-term private key of the service provider.

3. Proposed Protocol

To meet the security requirements for a 2FA protocol for mobile users and service providers, we employed the following five core approaches in the proposed protocol:
  • The user only sends I D i to the service provider and the protocol uses fuzzy verification technology to design password login verifiers in the registration phase to resist attacks from privileged insiders;
  • To resist password-guessing attacks where the adversary leverages the verifier to guess the password, we used the “Fuzzy-Verifiers” and “Honeywords” technologies [42] to set the verifiers of the password P W i ; i.e., A i = H I D i P W i a i   m o d   n 0 , R P W i = H I D i P W i   m o d   n 0 ;
  • In terms of guaranteeing efficiency and forward secrecy [53], we applied lightweight ECC to ensure the 2FA protocol’s efficiency and, in addition to the long-term key, we added a secret value that cannot be obtained by the adversary in the calculation of the session key to ensure forward secrecy;
  • To resist key-compromise impersonation attacks, we included a secret parameter r i that can be stored with the service provider securely (e.g., stored in an auxiliary server, as with [17]). Consequently, A is unable to acquire the value of V i with r i to forge the login request message M 1 ;
  • To ensure the user’s un-traceability, a dynamic M 2 computed with the dynamic parameters K 2   a n d   V i prohibits the adversary from tracing the unchanged identity of the user.
Next, this paper describes the 2FA protocol in detail, including the system setup phase, the registration phase, the following login and authentication phase, and, lastly, the password update phase.

3.1. System Setup Phase

The service provider S j independently chooses a number x   ϵ   Z p , which is a one-way hash function H . Then, S j calculates X = x P ( P is a generator of the abelian group G in the elliptic curve), publicizes the parameter H , X , and reserves a long, private, secret key x .

3.2. Registration Phase

To obtain authentication from S j ,   U i needs to carry out the following registration steps (R. 1–3) and complete the registration in the terminal of S j :
R. 1 The user U i chooses an I D i and, using the secure channel, U i transmits it to the service provider S j ;
R. 2 Upon receiving I D i , S j picks a random number r i ϵ Z p and computes V i = H I D i x r i . S j stores I D i , r i , S u m = 0 in its database, where the parameter S u m represents the number of login failures allowed for the user, and the smart card is revoked once the user fails more than S u m times. Finally, S j adds X , P , V i to a fresh smart card S C i and, using the secure channel, transmits S C i to U i ;
R. 3 When the user U i obtains the smart card S C i from S j , S C i selects a i   ϵ Z p and randomly generates a number 2 4 n 0 2 8 . Then, S C i calculates the following parameters: R P W i = H I D i P W i   m o d   n 0 , B i = H R P W i a i V i , A i = H I D i P W i a i   m o d   n 0 . Finally, S C i contains the parameters a i , A i , B i , X , P , n 0 .
The operations are also summarized in Table 3 to provide researchers with a quick understanding of the registration phase.

3.3. Login and Mutual Authentication Phase

After U i registers with S j effectively, U i runs the login operation (L. 1) and subsequent authentication steps (A. 1–A. 2) with S j :
L. 1 U i inputs I D i , P W i to S C i . Then, S C i computes A i = H I D i P W i a i   m o d   n 0 and checks whether A i = A i . If not, S C i refuses the login request. Otherwise, S C i computes R P W i = H I D i P W i   m o d   n 0 , V i = B i H R P W i a i . Subsequently, S C i picks a ϵ Z p and computes K 1 = a P , K 2 = a X , M 1 = H I D i K 1 K 2 V i , M 2 = E K 2 I D i V i , where E K 2 is a symmetric encryption algorithm. Finally, S C i sends M 1 , M 2 , K 1 to S j ;
A. 1 After obtaining M 1 , M 2 , K 1 , S j calculates K 2 = x K 1 , I D i V i = D K 2 M 2 , where D K 2 is a symmetric decryption algorithm. Then, S j searches I D i in its database. If I D i cannot be found, this session is aborted. Otherwise, S j moves to the next step. S j extracts r i stored in the database and checks whether V i = H I D i x r i . If they are unequal, S j understands that U i ’s smart card has been broken. Otherwise, S j moves to the next step. S j computes M 1 = H I D i K 1 K 2 V i and checks whether M 1 = M 1 . S j will end this session if they are unequal, which means that the integrity of M 1 has been corrupted. Otherwise, S j picks b ϵ Z p and computes K 3 = b P , K 4 = b K 1 , M 3 = H K 3 K 2 V i I D i K 4 , S K s = H K 4 I D i V i . Lastly, S j sends the message K 3 , M 3 to U i openly;
A. 2 On receiving the message K 3 , M 3 , U i computes K 4 = a K 3 , S K u = H K 4 I D i V i , M 3 = H K 3 K 2 V i I D i K 4 and verifies if M 3 = M 3 . If the verification fails, the integrity of M 3 may be corrupted, and U i ceases this session; otherwise, U i thinks about a shared session key S K = S K u = S K s .
Again, the operations are summarized in Table 4 to provide researchers with a quick understanding of the login and authentication phase.

3.4. Password Update Phase

Here, the user U i can change the password; that is, U i only submits his/her old or frequently used password to the smart card as shown in the login phase. After the smart card recognizes U i ’s legitimacy by checking if A i = A i and obtains V i , U i can choose a new P W i n e w and then updates parameters: A i n e w = H I D i P W i n e w a i   m o d   n 0 , R P W i n e w = H I D i P W i n e w   m o d   n 0 , B i n e w = H R P W i n e w a i V i . Lastly, the smart card replaces A i   a n d   B i with new parameters A i n e w   a n d   B i n e w .

4. Security Analysis

In this section, we describe the formal security proof, the heuristic analysis, and the security analysis using the automated verification tool ProVerif employed to assess the security of the protocol. To facilitate the description, the proposed protocol is abbreviated as P .

4.1. Formal Security Proof

In this part, we first provide the basics for the security proof and then prove the security of P under the following elliptic-curve computational Diffie–Hellman (ECCDH) assumption.
ECCDH: The hardness assumption of the ECCDH problem, as a variant of the Diffie–Hellman power multiplication [53], indicates that, given a random pair ( a P , b P ) in G , no probabilistic polynomial time (PPT) adversary A can effectively compute a b P with a non-negligible advantage.

4.1.1. Basics for the Security Proof

The security of P was assessed using the BPR2000 [54] and Bresson [55] basics, and it was further inspired by the proof work published by Wang et al. [42]. The basics are described below.
Participants. A 2FA P involves two participants: U and S . Each participant has many different instances called oracles. U ’s i th instance and S ’s j th instance are denoted as U i and S j , respectively. Additionally, any instance can be expressed as I if there are no differences.
Queries. The interaction between participants and the adversary A only takes place through oracle queries, which simulate the adversary’s abilities in a real attack. The kinds of queries that A can use are as follows:
  • Execute U i , S j : This query catches the eavesdropping of a protocol and, correspondingly, all communication records between U i and S j are included in its output;
  • Send U i , S t a r t : This query represents the initialization of protocol P ;
  • Send I i , m : This query captures active attacks. More specifically, by intercepting and blocking a message, an imitative message m is created by A . Subsequently, A conveys m to I i and then obtains the feedback from I i ;
  • Reveal I i : This query models the misapplication of the session key. When I i recognizes the session and creates an S K , it returns I i ’s session key S K to A . Otherwise, it responds with , which means no response;
  • Test I i : The session key’s semantic security is modeled with this query. A coin b is flipped when the query is received. If b = 0 , a random secret key of the same size as S K is then sent to A . If b = 1 , then S K is sent to A . A “ ” is sent to A if no S K for I i is created. This query can be invoked momentarily (but only once) during the simulation of the adversary;
  • Corrupt U i : With this query, the secret data preserved by the user can be acquired by A .
Accepted state: When the last prospective protocol message is accepted, an instance I will enter the accepted state. Significantly, the orderly series connection of all communicated messages forms the session identifier for I for the present session.
Partnering. Two instances U i and S j become partners if: (1) U i and S j are in the accepted state; (2) the session identifiers s i d of U i and S j are the same—i.e., s i d U i = s i d S j ; (3) S j ’s partner identifier p i d is U i and vice versa.
Freshness. An instance I is fresh if: (1) an accepted session key has been computed by I ; (2) a reveal query is not sent to I by A or its partner.

4.1.2. Security Proof

In this part, the difference lemma [56] is introduced in Lemma 1 and, with this lemma, the advantage from A corrupting the session key’s semantic security is derived by means of a formal theorem.
Lemma 1. 
Suppose that E 1 , E 2 ,   a n d   F are events defined in a probabilistic distribution and further assume that E 1 ¬ F E 2 ¬ F . Then, P r E 1 P r E 2 P r F holds, where P r · denotes the probability that the event occurs.
Theorem 1. 
Define  A d v P , D A K A A  as the probability of a PPT adversary  A  corrupting the semantic security of  P  within a limited time  t . When  A  delivers  q h  hash queries,  q e  execute queries, and  q s  send queries, we obtain: 
A d v P , D A K A A 2 C q s s + q s + q h + q h 2 2 l 1 + 2 q s + q e 2 p + 2 q h A d v A E C C D H t
where  D  represents the password space that coincides with Zipf’s law [44] according to a probability distribution,  s  and  C  refer to the Zipf’s law parameters,  l  denotes the bit length of the hash value,  p  represents a large prime parameter, and  t t + q s + q e + 1 T c , where  T c  is the calculation time for the point multiplication operation of the ECC.
Assume that the adversary A can corrupt the security of P . For such circumstances, we put forward an algorithm B that is able to solve the ECCDH problem. More precisely, B responds with a b P against the instance a P , b P of the ECCDH. The proof consists of a series of games: E 0 , E 1 , , E 5 . Let P r E i denote the valid output b of A in E i , where i = 0 , 1 , 2 , 3 , 4 , 5 .
Game E 0 . This game simulates a real attack. A has access to all the oracles; that is, we get:
A d v P , D A K A A = 2 P r E 0 1
Game E 1 . This game models the random oracle H by managing Λ A and a hash list Λ H . In addition, this game cannot be distinguished from the actual conduction of the protocol—i.e., game E 0 —as all oracles are modeled as the real attack. Thus, we have:
P r E 1 P r E 0 = 0
Game E 2 . All types of queries are modelled in this game, as in game E 1 , and it is terminated in the following two situations [34]: (1) a crash from the hash query output and (2) a crash from various records— ( M 1 , M 2 , K 1 , K 3 , M 3 ) . According to the birthday paradox, we have:
P r E 2 P r E 1 q h 2 2 l + 1 + q s + q e 2 2 p
Game E 3 . This game is modeled similarly to the game E 2 but the only difference is that the protocol is aborted when A guesses the authentication parameters M 1 and M 3 accurately without initiating the random oracle query. Further, this game is difficult to differentiate from the previous game E 2 unless the accurate authentication parameter is rejected by U i (or S j ). Hence, we have:
P r E 3 P r E 2 q s 2 l
Game E 4 . The session key S K is attained without accordingly initiating the random oracle query in this game. Correspondingly, this game is difficult to differentiate from the previous game E 3 unless A queries from the random oracle H on K I D i V i , where K = E C C D H K 1 , K 3 = a b P [34]. Therefore, we have:
P r E 4 P r E 3 q h A d v A E C C D H t + q h 2 l
Game E 5 . This game is similar to the previous game E 4 , and the only distinction is that the T e s t query is additionally executed. When A initiates a hash H query with a b P I D i V i , game E 5 is aborted. Accordingly, on the one hand, S K can be obtained from A initiating the H query with the maximum likelihood of q h 2 2 l + 1 . On the other hand, by means of a smart-card-loss attack and by modeling the corrupt U i oracle, A may expect to obtain the password for U i and corrupt the session key. Thanks to the “fuzzy verifier + honeywords” technology, the feasibility of A correctly guessing a password is not more than C q s s [42]. Lastly, from the perspective of breaking the forward security to obtain the session key, the probability of obtained a b P is q s + q e 2 2 p at most. Therefore, we have:
P r E 5 P r E 4 C q s s + q h 2 2 l + 1 + q s + q e 2 2 p
Factually, in this game, A has no advantage from using the same sized session key created by the random value to discriminate the real S K when A does not manage to initiate a H query with the correct input; that is, we have P r E 5 = 1 2 .
Finally, according to games E 0 E 5 and Lemma 1, we have
A d v P , D A K A A 2 C q s s + q s + q h + q h 2 2 l 1 + 2 q s + q e 2 p + 2 q h A d v A E C C D H t

4.2. Heuristic Analysis

Here, we employed heuristic analysis to evaluate the protocol’s security since the heuristic method, with its effective, simple, and direct procedure [7], can show that the proposed protocol not only offers desirable properties but is also resistant to various known attacks.

4.2.1. Timely Password Typo Detection

The proposed protocol decreases the computation and communication overhead in cases of input errors or illegal user-initiated attacks. More precisely, in the login phase, the smart card S C i verifies the password’s validity by checking whether A i ? = A i after the user inputs I D i , P W i . If A i = A i , then the request message is transmitted to the service provider by S C i . Otherwise, this session is terminated. Therefore, the 2FA provides timely password typo detection.

4.2.2. User Anonymity and Un-Traceability

User anonymity refers to hiding part of the user’s information during communication, and un-traceability means that the user’s identity cannot be tracked. Practically, in order to obtain the user’s identity during the communication session, A needs to extract all parameters a i , A i , B i , X , P , n 0 stored in S C i and obtain M 1 , M 2 , K 1 , K 3 , M 3 from U i and S j , but no identity information is preserved in the user’s smart card or conveyed over the open channel in the proposed protocol. For user traceability, M 1 = H I D i K 1 K 2 V i and M 2 = E K 2 I D i V i are variable. The user’s real identity I D i cannot be traced by A . Thus, user anonymity and un-traceability can be achieved.

4.2.3. Privileged Insider Attack

A privilege insider attack refers to insiders using legitimate access to steal confidential information in the system. In the registration phase of our protocol, U i sends I D i to S j without any password-related information. Afterwards, an updated smart card S C i is transmitted to U i by S j . U i activates S C i by providing P W i , which is only known to U i , when receiving S C i . Finally, U i obtains the new S C i . It can be seen that P W i is unavailable in plaintext by examining the parameters preserved in S C i . Thus, the proposed protocol can resist privileged insider attacks.

4.2.4. Key-Compromise User Impersonation Attack

In order to launch a key-compromise user impersonation attack, A must attain the value of V i , which can be calculated in two ways: (1) the legal user can compute it with known I D i , P W i , B i , a i and (2) the service provider can calculate it because of the known r i and x . However, computational difficulties arise if A attempts to acquire these critical parameters; that is, A cannot impersonate the legitimate user U i for S j . Therefore, the proposed protocol is resilient against this attack.

4.2.5. Server Impersonation Attack

In the proposed protocol, A needs to calculate correct K 3 , M 3 to impersonate the service provider S j . Since M 3 = H K 3 K 2 V i I D i K 4 is computed by V i , I D i and preserved by a secure hash function, A has to grasp these critical parameters or estimate the valid values in polynomial time. Next, A must grasp the secret values x , r i , I D i . In any case, it is computationally challenging for A to estimate these private parameters in polynomial time. As a result, the messages cannot be calculated by A correctly, and the proposed protocol is resistant against server impersonation attacks.

4.2.6. Password-Guessing Attack

In the 2FA protocol, A can eavesdrop on all information through the open channel and extract all parameters from the smart card of the user. Then, analyses of the password-guessing attack can be conducted from two angles: (i) On the one hand, with an unknown user’s identity I D i , A guesses I D i , P W i within the dictionary space. Then, A will be capable of calculating the relevant parameters R P W i = H I D i P W i   m o d   n 0 , and A i = H I D i P W i a i   m o d   n 0 . Afterwards, A verifies whether A i ? = A i . Finally, the above procedures are repeated until the password and identity are guessed by A accurately. Obviously from the perspective of theory, the relevant I D i and P W i that meet A i ? = A i can be estimated by A in polynomial time. Factually, the guessing size for the password and identity space can be represented as D I D D P W n 0 , where 2 4 n 0 2 8 , and D P W and D I D represent the guessing spaces of the password and identity, respectively. Thus, the valid password and identity cannot be guessed by A effectively because D I D D P W n 0 2 32 is larger than the finite S u m that denotes the time allowed by the smart card for an attacker until login failure, when D I D = D P W = 10 6 and n 0 = 2 8 [41]. (ii) On the other hand, the identity I D i of the user is likely to be leaked by A . Nevertheless, A is unable to estimate the password P W i correctly since there are still a large number of password candidates D P W n 0 2 12 that meet the formula A i = H I D i P W i a i   m o d   n 0 . Therefore, no matter whether D I D D P W n 0 2 32 or D P W n 0 2 12 , the authentic prize cannot be attained by the adversary using a guessing attack.

4.2.7. De-Synchronization Attack

The de-synchronization attack interferes with the parameter updates. Although the initial message stream can be blocked by the attacker, the service provider does not have to change any critical parameters in the database. Therefore, the consistency of the following communications will not be affected by this procedure. Furthermore, even if the attacker can block the second message stream, the consistency of communications between the service provider and user will not be influenced by it either, as the smart card will change its data only if M 3 ? = M 3 holds. As a result, the proposed protocol is resilient against de-synchronization attacks.

4.2.8. Replay Attack

Suppose that the login request information M 1 , M 2 , K 1 for the previous session has been acquired by A over an open channel. When A replays M 1 , M 2 , K 1 to S j , S j verifies M 1 . Since V i is updated in every successive session, M 1 is also changed to M 1 n e w each time. Therefore, S j cannot check the previous M 1 in the present session. In addition, if A replays K 3 , M 3 to U i , the previous message M 3 cannot be checked by U i in the present session. Accordingly, the proposed protocol is resistant against replay attacks.

4.2.9. Man-in-the-Middle Attack

Assume that A manages to block and intercept the login request information M 1 , M 2 , K 1 and the challenge message K 3 , M 3 and extracts all parameters for S C i in the proposed protocol. To initiate an effective man-in-the-middle attack, A has to falsify the new message stream M 1 , M 2 , K 1 , M 3 , K 3 or replay the previous message stream. As mentioned above, the presented protocol is resilient against replay and impersonation attacks. Neither the service provider nor the user can authenticate A successfully. Thus, the presented protocol can resist man-in-the-middle attacks.

4.2.10. Mutual Authentication

In the presented protocol, S j verifies U i by checking whether M 1 = M 1 , while U i checks S j by verifying if M 3 = M 3 . After mutual authentication, a common session key S K is negotiated by S j and U i ; that is, mutual authentication can be achieved safely with the proposed protocol.

4.2.11. Forward Secrecy of the Session Key

The forward secrecy of the session key indicates that, although the long-term key x of S j is leaked to A , all previous session keys remain safe. Assume that A eavesdrops further: M 1 , M 2 , K 1 , K 3 , M 3 . To calculate the prior session key S K = H K 4 I D i V i , A needs to know I D i V i = D K 2 M 2 = D a X M 2 and K 4 = b K 1 = a b P . Further, computational difficulties arise for A when they try to obtain the stochastic parameters a or b . Thus, A is unable to calculate S K . Forward secrecy can be achieved successfully with the presented 2FA protocol.

4.3. Formal Verification Analysis Using ProVerif

ProVerif is the latest popular automated verification tool [43]. By running the process in an infinite message space and session simulation, it can verify whether the authentication protocol can: (1) ensure the confidentiality of a specially defined string, (2) ensure the authentication of all entities, and (3) prevent an attacker from tracking the secret string (i.e., the session key).

4.3.1. Definition of Parameters in ProVerif

In Figure 2, we provide the definitions of the parameters in ProVerif, where the public channel (ch) and secure channel (sch) are used for communication between the user and service provider. Further, SKusecret is a session key for the user. All functions, as well as related equations, are also illustrated. Two queries (i.e., lines 24 and 25) were run to test whether the session key was secure and whether the user could obtain authentication from the service provider.

4.3.2. Code for Process in ProVerif

In Figure 3, lines 26–53 of the code (respectively, lines 55–77 of the code) are dedicated to the registration and authentication of the user (respectively, the registration and authentication of the service provider). Then, through the code process ((!User(Idi,PWi))|(!GWN(x,X,P))) that is used to run two entities’ processes in parallel, we can obtain running results for the program codes (see lines 85–89 in Figure 3; i.e., the verification summary). The result in line 87 indicates that the attacker cannot calculate or track the session key SKusecret, and the last line (i.e., line 88) denotes that the event UserKey(UK) is correctly executed after the event ServerKey(SK) and shows that the user has obtained authentication from the service provider.

5. Summary Comparison: Functionality and Performance

To show the better balance of availability and security in the presented 2FA protocol, this section provides a comparative evaluation focusing on the functionality analyses, communication, and calculation overhead in the schemes developed by Tsai et al. [36], Zhu et al. [38], Liu et al. [35], Roy et al. [37], and Islam et al. [5] and in the presented 2FA protocol.

5.1. Security Evaluation Criteria

The hinge that can be used to assess the goodness of the functionality of an authentication protocol is whether the protocol design conforms to the fundamental principles. Wang et al. [42] and Wang et al. [57] provided conclusions regarding the security criteria in terms of AKA protocols. On the basis of our security analysis demonstrated above, Table 5 presents the safety criteria designed in [42,57] and then ten evaluation criteria ( E C ) are described.

5.2. Functionality Comparison

In the following, a comprehensive functionality comparison between the 2FA protocol and the five most advanced protocols [5,35,36,37,38] is presented using the evaluation indicators mentioned in Section 5.1.
The comparison results are depicted in Table 6, where the notation means that the protocol demonstrates the property, and denotes that the protocol does not demonstrate the property. As shown in Table 6, the protocol from [5] cannot fulfill E C 5 and E C 9 , since the smart card in [5] stores an explicit password validation parameter and is not resistant against password-guessing attacks and key-compromise user impersonation attacks. Furthermore, smart card revocation of function is not provided in [5].
The protocol in [35] cannot provide user anonymity given the transmission of plaintext identities over an open channel, and clock synchronization attacks cannot be resisted; that is, the protocol in [35] does not demonstrate E C 1 , E C 8 , and E C 9 . Further, Tsai et al.’s protocol [34] does not demonstrate E C 9 and E C 10 , and Roy et al.’s protocol [37] does not demonstrate E C 5 , E C 8 , and E C 10 . Specifically, the protocol in [36] cannot achieve forward secrecy due to the storage of secret key values in the corresponding device [36]. Although only three chaotic-map operations are performed in the protocol in [37], it is still incapable of maintaining forward secrecy once the long-term key is compromised. In addition, the password validation parameter is stored explicitly in the smart card and the plaintext identity is transmitted over the open channel in Roy et al.’s protocol [37], which makes it easy for the attacker to intercept, resulting in the information from the communicator not being synchronized. Similarly, Zhu et al.’s protocol [38] is vulnerable to password-guessing attacks and smart-card-loss attacks due to the smart card storing an explicit password validation parameter. Accordingly, [38] does not demonstrate E C 3 and E C 5 .
In general, by observing the Table 6, it can be deduced that the proposed 2FA protocol is the only one that meets the expected security and usability goals and is immune to various known attacks. The proposed 2FA protocol is the only protocol that is resistant against diverse known attacks and can meet the ideal safety and availability goals.

5.3. Communication and Computation Cost Comparison

To provide a fair presentation of the computation and communication cost comparison, drawing on previous research work [58,59], notations with the corresponding running time and running platform are shown in Table 7. For the evaluation of the communication overhead in the login and authentication phase, the length of the safety parameters is defined in Table 8.
As shown in Table 9, the total computation cost for the 2FA protocol is 1.818 ms. Compared with other protocols, the 2FA protocol has slightly higher computing costs (and is closest to the cost of the scheme from [35]), allowing it to obtain higher robustness in terms of safety. The total communication cost of the 2FA protocol is 1376 bits. It can be seen that the communication costs of the relevant protocols are slightly lower than that of the 2FA protocol. It can be seen that only two communication message streams are required in the 2FA protocol, while three message streams are required in the protocols from [5,35,36].
In conclusion, it can be seen that the proposed 2FA protocol is the most suitable for two-factor authentication and key agreement and balances security and availability in mobile computing.

6. Conclusions

The authentication mechanism has always been an effective way of guaranteeing secure communication in mobile computing. However, existing authentication protocols weaken security in the pursuit of high efficiency. In this study, we designed a robust and effective 2FA protocol and then fully proved the protocol’s security and good performance. The safety analysis results using the ProVerif tool demonstrated that the proposed 2FA protocol was able to achieve semantic security, satisfy all ten evaluation criteria ( E C 1 E C 10 ), and provide mutual authentication for and preserve the security of the session key. By comparing the performance of six state-of-the-art protocols and the presented 2FA protocol, we showed that the designed 2FA protocol is more practical. Its design ideas presented in our paper are generic and may be used as guidelines to design AKA protocols. As our ongoing research work, we will focus on a more secure authentication protocol that also considers physical attacks for various situations in mobile computing with IPv6 over low-power wireless personal area networks (6LoWPAN) [60].

Author Contributions

Validation, methodology, writing—original draft, K.L. and Z.Z.; writing—review and editing, Q.C., G.X. (Guosheng Xu), C.W. and G.X. (Guoai Xu); validation, Y.G. and W.Z. All authors have read and agreed to the published version of the manuscript.


This work was supported by the National Natural Science Foundation of China under grant no. 62102042 and the National Key Research and Development Program of China under grant no. 2021YFB3101500.

Institutional Review Board Statement

Not applicable.

Informed Consent Statement

Not applicable.

Data Availability Statement

Not applicable.

Conflicts of Interest

The authors declare no conflict of interest.


  1. O’Dea, S. Forecast Number of Mobile Users Worldwide 2020–2025. Available online: (accessed on 2 April 2021).
  2. Available online: (accessed on 10 February 2023).
  3. Available online: (accessed on 2 September 2020).
  4. Wazid, M.; Das, A.K.; Kumar, N.; Rodrigues, J.J. Secure three-factor user authentication scheme for renewable-energy-based smart grid environment. IEEE Trans. Ind. Inform. 2017, 13, 3144–3153. [Google Scholar] [CrossRef]
  5. Islam, S.H.; Vijayakumar, P.; Bhuiyan, M.Z.A.; Amin, R.; Balusamy, B. A provably secure three-factor session initiation protocol for multimedia big data communications. IEEE Internet Things J. 2017, 5, 3408–3418. [Google Scholar] [CrossRef]
  6. Wang, C.; Wang, D.; Tu, Y.; Xu, G.; Wang, H. Understanding node capture attacks in user authentication schemes for wireless sensor networks. IEEE Trans. Dependable Secur. Comput. 2020, 19, 507–523. [Google Scholar] [CrossRef]
  7. Zou, S.; Cao, Q.; Wang, C.; Huang, Z.; Xu, G. A robust two-factor user authentication scheme-based ecc for smart home in iot. IEEE Syst. J. 2022, 16, 4938–4949. [Google Scholar] [CrossRef]
  8. Wang, Q.; Wang, D. Understanding Failures in Security Proofs of Multi-Factor Authentication for Mobile Devices. IEEE Trans. Inf. Forensics Secur. 2022, 18, 597–612. [Google Scholar] [CrossRef]
  9. Gope, P.; Lee, J.; Quek, T.Q. Lightweight and practical anonymous authentication protocol for RFID systems using physically unclonable functions. IEEE Trans. Inf. Forensics Secur. 2018, 13, 2831–2843. [Google Scholar] [CrossRef]
  10. Yang, Z.; He, J.; Tian, Y.; Zhou, J. Faster authenticated key agreement with perfect forward secrecy for industrial internet-of-things. IEEE Trans. Ind. Inform. 2019, 16, 6584–6596. [Google Scholar] [CrossRef]
  11. Das, M.L.; Saxena, A.; Gulati, V.P. A dynamic ID-based remote user authentication scheme. IEEE Trans. Consum. Electron. 2004, 50, 629–631. [Google Scholar] [CrossRef] [Green Version]
  12. Ma, C.G.; Wang, D.; Zhao, S.D. Security flaws in two improved remote user authentication schemes using smart cards. Int. J. Commun. Syst. 2014, 27, 2215–2227. [Google Scholar] [CrossRef]
  13. Hankerson, D.; Menezes, A.; Vanstone, S. Guide to Elliptic Curve Cryptography; Springer Science & Business Media: New York, NY, USA, 2006. [Google Scholar]
  14. Rivest, R.L.; Shamir, A.; Adleman, L. A method for obtaining digital signatures and public-key cryptosystems. Commun. ACM 1978, 21, 120–126. [Google Scholar] [CrossRef] [Green Version]
  15. Zhang, F.; Safavi-Naini, R.; Susilo, W. An efficient signature scheme from bilinear pairings and its applications. In Proceedings of the Public Key Cryptography—PKC 2004: 7th International Workshop on Theory and Practice in Public Key Cryptography, Singapore, 1–4 March 2004; pp. 277–290. [Google Scholar]
  16. Durlanik, A.; Sogukpinar, I. SIP authentication scheme using ECDH. Proc. Work. Acad. Sci. Eng. Technol. 2005, 8, 350–353. [Google Scholar]
  17. Wang, D.; Cheng, H.; He, D.; Wang, P. On the challenges in designing identity-based privacy-preserving authentication schemes for mobile devices. IEEE Syst. J. 2016, 12, 916–925. [Google Scholar] [CrossRef]
  18. Lamport, L. Password authentication with insecure communication. Commun. ACM 1981, 24, 770–772. [Google Scholar] [CrossRef] [Green Version]
  19. Arkko, J.; Torvinen, V.; Camarillo, G.; Niemi, A.; Haukka, T. Security mechanism agreement for SIP sessions. Doc. RFC 2003, 3329, 1–24. [Google Scholar]
  20. Fotouhi, M.; Bayat, M.; Das, A.K.; Far, H.A.N.; Pournaghi, S.M.; Doostari, M.A. A lightweight and secure two-factor authentication scheme for wireless body area networks in health-care IoT. Comput. Netw. 2020, 177, 107333. [Google Scholar] [CrossRef]
  21. Chatterjee, S.; Roy, S.; Das, A.K.; Chattopadhyay, S.; Kumar, N.; Vasilakos, A.V. Secure biometric-based authentication scheme using Chebyshev chaotic map for multi-server environment. IEEE Trans. Dependable Secur. Comput. 2016, 15, 824–839. [Google Scholar] [CrossRef]
  22. Wang, D.; Wang, P. On the anonymity of two-factor authentication schemes for wireless sensor networks: Attacks, principle and solutions. Comput. Netw. 2014, 73, 41–57. [Google Scholar] [CrossRef]
  23. Vivekanandan, M.; Sastry, V.N.; Srinivasulu Reddy, U. Efficient user authentication protocol for distributed multimedia mobile cloud environment. J. Ambient Intell. Hum. Comput. 2020, 11, 1933–1956. [Google Scholar] [CrossRef]
  24. Hsu, C.L.; Le, T.V.; Hsieh, M.C.; Tsai, K.Y.; Lu, C.F.; Lin, T.W. Three-factor UCSSO scheme with fast authentication and privacy protection for telecare medicine information systems. IEEE Access 2020, 8, 196553–196566. [Google Scholar] [CrossRef]
  25. Hsu, C.L.; Le, T.V.; Lu, C.F.; Lin, T.W.; Chuang, T.H. A privacy-preserved E2E authenticated key exchange protocol for multi-server architecture in edge computing networks. IEEE Access 2020, 8, 40791–40808. [Google Scholar] [CrossRef]
  26. Zhang, Y.; Xu, C.; Li, H.; Yang, K.; Cheng, N.; Shen, X. PROTECT: Efficient password-based threshold single-sign-on authentication for mobile users against perpetual leakage. IEEE. Trans. Mob. Comput. 2020, 20, 2297–2312. [Google Scholar] [CrossRef]
  27. Vivekanandan, M.; U, S.R. Blockchain based privacy preserving user authentication protocol for distributed mobile cloud environment. Peer-to-Peer Netw. Appl. 2021, 14, 1572–1595. [Google Scholar] [CrossRef]
  28. Lin, T.W.; Hsu, C.L.; Le, T.V.; Lu, C.F.; Huang, B.Y. A smartcard-based user-controlled single sign-on for privacy preservation in 5G-IoT telemedicine systems. Sensors 2021, 21, 2880. [Google Scholar] [CrossRef] [PubMed]
  29. Meshram, C.; Ibrahim, R.W.; Deng, L.; Shende, S.W.; Meshram, S.G.; Barve, S.K. A robust smart card and remote user password-based authentication protocol using extended chaotic maps under smart cities environment. Soft Comput. 2021, 25, 10037–10051. [Google Scholar] [CrossRef]
  30. Meher, B.K.; Amin, R. A location-based multi-factor authentication scheme for mobile devices. Int. J. Ad Hoc Ubiquitous Comput. 2022, 41, 181–190. [Google Scholar] [CrossRef]
  31. Le, T.V.; Lu, C.F.; Hsu, C.L.; Do, T.K.; Chou, Y.F.; Wei, W.C. A novel three-factor authentication protocol for multiple service providers in 6G-aided intelligent healthcare systems. IEEE Access 2022, 10, 28975–28990. [Google Scholar] [CrossRef]
  32. Gope, P.; Sikdar, B. Lightweight and privacy-preserving two-factor authentication scheme for IoT devices. IEEE Internet Things J. 2018, 6, 580–589. [Google Scholar] [CrossRef]
  33. Kaveh, M.; Mosavi, M.R. A lightweight mutual authentication for smart grid neighborhood area network communications based on physically unclonable function. IEEE Syst. J. 2020, 14, 4535–4544. [Google Scholar] [CrossRef]
  34. Qiu, S.; Wang, D.; Xu, G.; Kumari, S. Practical and provably secure three-factor authentication protocol based on extended chaotic-maps for mobile lightweight devices. IEEE Trans. Dependable Secur. Comput. 2020, 19, 1338–1351. [Google Scholar] [CrossRef]
  35. Liu, Y.; Xue, K. An improved secure and efficient password and chaos-based two-party key agreement protocol. Nonlinear Dyn. 2016, 84, 549–557. [Google Scholar] [CrossRef]
  36. Tsai, J.L.; Lo, N.W.; Wu, T.C. Novel anonymous authentication scheme using smart cards. IEEE Trans. Ind. Inform. 2012, 9, 2004–2013. [Google Scholar] [CrossRef]
  37. Roy, S.; Chatterjee, S.; Das, A.K.; Chattopadhyay, S.; Kumari, S.; Jo, M. Chaotic map-based anonymous user authentication scheme with user biometrics and fuzzy extractor for crowdsourcing Internet of Things. IEEE Internet Things J. 2017, 5, 2884–2895. [Google Scholar] [CrossRef]
  38. Zhu, H.; Hao, X. A provable authenticated key agreement protocol with privacy protection using smart card based on chaotic maps. Nonlinear Dyn. 2015, 81, 311–321. [Google Scholar] [CrossRef]
  39. Shin, S.; Kobara, K. Security analysis of password-authenticated key retrieval. IEEE Trans. Dependable Secur. Comput. 2015, 14, 573–576. [Google Scholar]
  40. IEEE P1363.2/D11; Standard Specifications for Password-Based Public-Key Cryptographic Techniques. IEEE P1363 Working Group: New York, NY, USA, 2003.
  41. Jablon, D.P. Password authentication using multiple servers. In Proceedings of the Topics in Cryptology—CT-RSA 2001: The Cryptographers’ Track at RSA Conference 2001, San Francisco, CA, USA, 8–12 April 2001; pp. 344–360. [Google Scholar]
  42. Wang, D.; Wang, P. Two birds with one stone: Two-factor authentication with security beyond conventional bound. IEEE Trans. Dependable Secur. Comput. 2016, 15, 708–722. [Google Scholar] [CrossRef]
  43. Blanchet, B.; Smyth, B.; Cheval, V.; Sylvestre, M. Proverif 2.02 pl1: Automatic Cryptographic Protocol Verifier, User Manual and Tutorial; Technical Report. 2020. Available online: (accessed on 5 September 2020).
  44. Wang, D.; Wang, P. On the implications of Zipf’s law in passwords. In Computer Security—ESORICS, Proceedings of the 21st European Symposium on Research in Computer Security, Heraklion, Greece, 26–30 September 2016; Askoxylakis, I., Ioannidis, S., Katsikas, S., Meadows, C., Eds.; Springer: Cham, Switzerland, 2016; pp. 111–131. [Google Scholar]
  45. Wang, D.; He, D.; Wang, P.; Chu, C.H. Anonymous two-factor authentication in distributed systems: Certain goals are beyond attainment. IEEE Trans. Dependable Secur. Comput. 2014, 12, 428–442. [Google Scholar] [CrossRef]
  46. Eisenbarth, T.; Kasper, T.; Moradi, A.; Paar, C.; Salmasizadeh, M.; Shalmani, M.T.M. On the power of power analysis in the real world: A complete break of the KeeLoq code hopping scheme. In Advances in Cryptology—CRYPTO, Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 17–21 August 2008; Wagner, D., Ed.; Springer: Berlin/Heidelberg, Germany, 2008; pp. 203–220. [Google Scholar]
  47. Kocher, P.; Jaffe, J.; Jun, B. Differential power analysis. In Advances in Cryptology—CRYPTO’ 99, Proceedings of the Annual International Cryptology Conference, Santa Barbara, CA, USA, 15–19 August 1999; Wiener, M., Ed.; Springer: Berlin/Heidelberg, Germany, 1999; pp. 388–397. [Google Scholar]
  48. Messerges, T.S.; Dabbish, E.A.; Sloan, R.H. Examining smart-card security under the threat of power analysis attacks. IEEE Trans. Comput. 2002, 51, 541–552. [Google Scholar] [CrossRef] [Green Version]
  49. Wang, D.; Zhang, Z.; Wang, P.; Yan, J.; Huang, X. Targeted online password guessing: An underestimated threat. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, Vienna, Austria, 24–28 October 2016; pp. 1242–1254. [Google Scholar]
  50. Wang, D.; Cheng, H.; Wang, P.; Huang, X.; Jian, G. Zipf’s law in passwords. IEEE Trans. Inf. Forensic Secur. 2017, 12, 2776–2791. [Google Scholar] [CrossRef]
  51. Agrawal, S.; Das, M.L.; Lopez, J. Detection of node capture attack in wireless sensor networks. IEEE Syst. J. 2018, 13, 238–247. [Google Scholar] [CrossRef]
  52. He, D.; Wang, D. Robust biometrics-based authentication scheme for multiserver environment. IEEE Syst. J. 2014, 9, 816–823. [Google Scholar] [CrossRef]
  53. Wang, D.; Wang, N.; Wang, P.; Qing, S. Preserving privacy for free: Efficient and provably secure two-factor authentication scheme with user anonymity. Inf. Sci. 2015, 321, 162–178. [Google Scholar] [CrossRef]
  54. Bellare, M.; Pointcheval, D.; Rogaway, P. Authenticated key exchange secure against dictionary attacks. In Proceedings of the Eurocrypt 2000, Bruges, Belgium, 14–18 May 2000; pp. 139–155. [Google Scholar]
  55. Bresson, E.; Chevassut, O.; Pointcheval, D. Security proofs for an efficient password-based key exchange. In Proceedings of the 10th ACM Conference on Computer and Communications Security, Washington, DC, USA, 27–30 October 2003; pp. 241–250. [Google Scholar]
  56. Shoup, V. Sequences of games: A tool for taming complexity in security proofs. IACR Cryptol. Eprint Arch. 2004, 332. Available online: (accessed on 18 January 2006).
  57. Wang, D.; Gu, Q.; Cheng, H.; Wang, P. The request for better measurement: A comparative evaluation of two-factor authentication schemes. In Proceedings of the 11th ACM on Asia Conference on Computer and Communications Security, ASIA CCS ’16, Xi’an, China, 30 May–3 June 2016; pp. 475–486. [Google Scholar]
  58. Wu, F.; Li, X.; Xu, L.; Vijayakumar, P.; Kumar, N. A novel three-factor authentication protocol for wireless sensor networks with IoT notion. IEEE Syst. J. 2020, 15, 1120–1129. [Google Scholar] [CrossRef]
  59. Srinivas, J.; Das, A.K.; Wazid, M.; Kumar, N. Anonymous lightweight chaotic map-based authenticated key agreement protocol for industrial Internet of Things. IEEE Trans. Dependable Secur. Comput. 2018, 17, 1133–1146. [Google Scholar] [CrossRef]
  60. Abbas, G.; Tanveer, M.; Abbas, Z.H.; Waqas, M.; Baker, T.; Al-Jumeily OBE, D. A secure remote user authentication scheme for 6LoWPAN-based Internet of Things. PLoS ONE 2021, 16, e0258279. [Google Scholar] [CrossRef]
Figure 1. System model of 2FA protocol.
Figure 1. System model of 2FA protocol.
Applsci 13 04425 g001
Figure 2. Definition of parameters in ProVerif.
Figure 2. Definition of parameters in ProVerif.
Applsci 13 04425 g002
Figure 3. Code for process in ProVerif.
Figure 3. Code for process in ProVerif.
Applsci 13 04425 g003
Table 1. Goals with related descriptions.
Table 1. Goals with related descriptions.
Anonymity and un-traceabilityIdentity protection and user un-traceability
Resistance against password-guessing attacksThe attacker cannot grasp the user’s password
Session key securityThe attacker cannot compute or steal the session key negotiated between the user and service provider [34]
Resistance against impersonation attacksServer impersonation attacks and key-compromise user impersonation attacks
Table 2. Notations with related descriptions.
Table 2. Notations with related descriptions.
U i User x Long-term key for S j
S j Service provider A Malicious adversary
I D i Unique identity of U i String concatenation operation
P W i Password chosen by U i Bitwise XOR operation
b Random numbers for S j H One-way hash function
a Random numbers for U i S K Session key shared between U i and S j
Table 3. User registration phase.
Table 3. User registration phase.
User ( U i ) Secure ChannelService Provider ( S j )
Registration Phase:
Choose I D i I D i Generates a random number r i   ϵ Z p
V i = H I D i x r i
Generates a random number a i   ϵ Z p Store I D i , r i , S u m = 0 in database
Computes: New smart card:
R P W i = H I D i P W i   m o d   n 0 S C i = X , P , V i
B i = H R P W i a i V i S C i
Chooses an integer 2 4 n 0 2 8
A i = H I D i P W i a i   m o d   n 0
Update smart card:
S C i = a i , A i , B i , X , P , n 0
Table 4. Login and authentication phase.
Table 4. Login and authentication phase.
User ( U i ) Public ChannelServer ( S j )
Step 1:
Input I D i , P W i
A i = H I D i P W i a i   m o d   n 0
Checks if A i = A i Step 2:
Compute: Computes K 2 = x K 1
R P W i = H I D i P W i   m o d   n 0 I D i V i = D K 2 M 2
V i = B i H R P W i a i Checks the validity I D i
Generates a random number a Extract: r i
Compute: Check if V i = H I D i x r i
K 1 = a P , K 2 = a X Compute: M 1 = H I D i K 1 K 2 V i
M 1 = H I D i K 1 K 2 V i Checks if M 1   = M 1
M 2 = E K 2 I D i V i M 1 , M 2 , K 1 Generates a random number b
Step 4: K 3 , M 3 Step 3:
Computes K 4 = a K 3 Computes K 3 = b P , K 4 = b K 1
S K u = H K 4 I D i V i M 3 = H K 3 K 2 V i I D i K 4
M 3 = H K 3 K 2 V i I D i K 4 S K s = H K 4 I D i V i
Checks if M 3 =   M 3
Table 5. Security evaluation criteria for AKA protocols.
Table 5. Security evaluation criteria for AKA protocols.
E C 1 User anonymity and un-traceability E C 6 Provision of key agreement
E C 2 Password verifier table is unwanted E C 7 Mutual authentication verification
E C 3 Password exposure is avoidable E C 8 No clock synchronization
E C 4 Timely typo detection E C 9 Sound capacity for repair
E C 5 No smart-card-loss attack E C 10 Forward secrecy
Table 6. Functionality comparison of relevant AKA protocols.
Table 6. Functionality comparison of relevant AKA protocols.
ProtocolsRef.Evaluation Criteria
E C 1 E C 2 E C 3 E C 4 E C 5 E C 6 E C 7 E C 8 E C 9 E C 10
Tsai et al. (2013)[36]
Zhu et al. (2015)[38]
Liu et al. (2016)[35]
Roy et al. (2018)[37]
Islam et al. (2018)[5]
2FA protocol[-]
Table 7. Notations with related abbreviations.
Table 7. Notations with related abbreviations.
NotationDescriptionTime/msRunning Platform
T c The computing time for the extended chaotic-map operation0.294Ubuntu 18.04 with Intel i7-4710HQ, 2.5 GHz CPU and 8 G memory
T m The computing time for elliptic curve point multiplication0.294
T s The computing time for the symmetric cryptography operation0.021
T h The computing time for a one-way hash operation0.003
Table 8. Lengths of the safety parameters.
Table 8. Lengths of the safety parameters.
User identity160
Random number128
Elliptic curve point160
The output of the hash function160
The ciphertext of the symmetric encryption/decryption algorithm128
Table 9. Communication and computation costs in the login and authentication phase.
Table 9. Communication and computation costs in the login and authentication phase.
ProtocolsComputation CostTotal Communication CostMessage Rounds
UserService ProviderTotal Running Time
Tsai et al. (2013) [36] 5 T h + T m 5 T h + 3 T m 1.206 ms960 bits3
Zhu et al. (2015) [38] 4 T h + 2 T c 6 T h + 2 T c 1.206 ms736 bits2
Liu et al. (2016) [35] 6 T h + 3 T c 6 T h + 3 T c 1.8 ms1280 bits3
Roy et al. (2018) [37]9 T h + 2 T c 6 T h + T c 0.927 ms960 bits2
Islam et al. (2018) [5] 7 T h + 2 T m + T s 5 T h + 2 T m + T s 1.254 ms768 bits3
2FA protocol 10 T h + 3 T m 8 T h + 3 T m 1 .818 ms1376 bits2
Disclaimer/Publisher’s Note: The statements, opinions and data contained in all publications are solely those of the individual author(s) and contributor(s) and not of MDPI and/or the editor(s). MDPI and/or the editor(s) disclaim responsibility for any injury to people or property resulting from any ideas, methods, instructions or products referred to in the content.

Share and Cite

MDPI and ACS Style

Liu, K.; Zhou, Z.; Cao, Q.; Xu, G.; Wang, C.; Gao, Y.; Zeng, W.; Xu, G. A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing. Appl. Sci. 2023, 13, 4425.

AMA Style

Liu K, Zhou Z, Cao Q, Xu G, Wang C, Gao Y, Zeng W, Xu G. A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing. Applied Sciences. 2023; 13(7):4425.

Chicago/Turabian Style

Liu, Kaijun, Zhou Zhou, Qiang Cao, Guosheng Xu, Chenyu Wang, Yuan Gao, Weikai Zeng, and Guoai Xu. 2023. "A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing" Applied Sciences 13, no. 7: 4425.

Note that from the first issue of 2016, this journal uses article numbers instead of page numbers. See further details here.

Article Metrics

Back to TopTop