This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing.

This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 1

Practical Two-Factor Authentication Protocol for

Real-Time Data Access in WSNs
Meijia Xu and Ding Wang

Abstract—With the rapid development of sensors and communication technologies, the Internet of Things (IoT) paradigm has increasingly
expanded to cover various daily, industrial, and military applications. As a core component of the IoT responsible for environmental sensing
and data collection, wireless sensor networks (WSNs) face significant security threats. The design of multi-factor authentication schemes to
secure real-time data transmission in WSNs has garnered considerable research efforts. However, a common trend in existing multi-factor
authentication protocols is emphasizing performance and security benefits, while possible limitations are rarely subjected to thorough analysis.
To fill this gap, we first select two representative multi-factor authentication schemes (i.e., Chaudhry et al.’s scheme at ACM ToIT’21 and
Jabbari-Mohasef’s scheme at IEEE TII’22) as case studies, and point out that both schemes are vulnerable to offline password guessing and
node capture attacks, and fail to achieve forward secrecy. We then investigate the fundamental causes of these weaknesses underlying the
schemes and propose corresponding solutions. After rethinking previous schemes, we present a new robust two-factor authentication scheme
for WSNs and formally prove its security under the Random Oracle Model. Furthermore, we compare our scheme with 18 state-of-the-art
protocols using the widely accepted evaluation framework. The comparison results show that our protocol outperforms its foremost counterparts.
Index Terms—Multi-factor authentication; Internet of Things; Wireless sensor networks; Offline password guessing; Forward secrecy.

1 I NTRODUCTION
Knowledge
As Internet of Things (IoT) technology matures and evolves
Attacker
toward intelligence, wireless sensor networks (WSNs) have
s
ow Password

been widely adopted in various domains (e.g., Industrial

kn
Possession
has
Internet of Things [1], smart home [2], and environmental
monitoring [3]). In many critical applications (e.g., battlefield Mobile device

Inherence
is

environmental monitoring [4], patient heartbeat monitoring User Gateway

[5]), external users often require real-time access to sensor Fingerprint

Sensor node
node data. However, the long communication links between
sensor nodes and gateways in WSNs negatively affect the Fig. 1. Multi-factor authentication scheme in WSNs.
efficiency of data queries. Consequently, enabling users
one of the most widely used cryptographic protocols. A key
to access real-time data directly from sensor nodes on
characteristic of these protocols is that they require servers
demand has become a fundamental feature of WSNs [6].
to store a password verifier (i.e., parameters derived from
Meanwhile, given the openness of WSNs channels and the
the user’s password via a one-way function, such as a salted
mobility of users, it is necessary to protect sensitive data
hash) for authentication. [10]–[12]. Nowadays, catastrophic
and user behavior information from attacks, eavesdropping,
data breaches have become alarmingly common (e.g., 3
modification, etc. The consequences could be disastrous
billion Yahoo leak [13], 1.1 billion Alibaba breach [14]). Once
once malicious/unauthorized users access sensitive data.
password verifiers are exposed, attackers can immediately
To mitigate these risks, user authentication is essential
exploit them to conduct offline password guessing attacks.
to prevent malicious or unregistered users from illegally
This vulnerability is further exacerbated by the continuous
accessing private data. User authentication is typically
advancement of offline guessing algorithms [15]. In recent
divided into three types: 1) something the user knows (e.g.,
years, multi-factor authentication (MFA) has become a
passwords), 2) something the user has (e.g., smart cards),
widely adopted method to enhance user authentication
and 3) something the user is (e.g., fingerprints) [7].
Passwords remain the dominant form of user authen- security without requiring servers to store password files
tication today due to their key advantages, such as low [16]. For example, Google Cloud plans to enforce MFA
deployment cost, convenient account recovery, and remark- for all users by the end of 2025. MFA leverages two or
able simplicity [8], [9]. Password-based authentication key more authentication factors to verify the user’s identity,
exchange (PAKE) protocols allow two parties to establish a ensuring that even if an adversary compromises n − 1
shared session key based on a low-entropy password and are factors in an n-factor authentication scheme (e.g., n = 2, 3),
the system remains secure [16]. This method significantly
• Meijia Xu and Ding Wang are with the College of Cryptology and Cyber reduces reliance on a single factor.
Science, Nankai University, Tianjin 300350, China, and Key Laboratory of Data As shown in Fig. 1, a typical multi-factor authentication
and Intelligent System Security (Ministry of Education), Nankai University,
Tianjin 300350, China, and also with Tianjin Key Laboratory of Network and
protocol in WSNs involves three types of participants:
Data Security Technology, Nankai University, Tianjin 300350, China. (Email: gateways, users, and a large number of sensor nodes [6].
xumeijia@[Link]; wangding@[Link];). Unlike traditional client-server structures, WSNs consist
• Corresponding author is Ding Wang.
of numerous sensor nodes constrained by limited storage
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 2

and computational resources. These nodes are deployed protocols of Jabbari-Mohasef [26] and Chaudhry et al. [25]
in unattended environments, making them vulnerable to fail to achieve the security goals they claimed.
physical attacks. Therefore, in WSNs, beyond addressing In 2022, Wang et al. [7] pointed out that node capture
the security challenges of conventional MFA schemes, it attacks are one of the most common security threats to
is necessary to ensure security when a subset of nodes is multi-factor authentication schemes in WSNs, yet they
corrupted [7]. The unique challenges posed by WSNs demand a have received limited attention in research. Wang et al. [7]
robust multi-factor authentication scheme to ensure the security conducted an in-depth analysis of node capture attacks and
of authentication and key establishment. their causes, categorizing them into ten types and proposing
modification suggestions for several typical vulnerable
1.1 Related Work protocols. Although Wang et al. [7] intended to help protocol
In 2009, Das et al. [17] first proposed a two-factor (pass- designers better understand node capture attacks, many
word+smart card) authentication scheme in WSNs, allowing newly proposed protocols are still vulnerable to such
users to access the information stored in sensor nodes attacks (e.g., [32], [33]). Moreover, these newly proposed
securely. However, subsequent works [18], [19] revealed protocols (e.g., [33]–[35]) also suffer from various security
vulnerabilities in Das et al.’s scheme. The scheme is vulner- issues. Designing a practical multi-factor user authentication
able to insider privilege attacks, offline password guessing scheme for WSNs remains a challenging task.
attacks, user impersonation attacks, etc. In 2011, Fan et al.
[18] proposed a new two-factor authentication scheme to 1.2 Motivations and Contributions
improve the security of Das et al.’s and similar schemes. It
repaired some defects of Das et al.’s [17] scheme, but Wang Research on multi-factor authentication protocols over the
et al. [20] subsequently demonstrated that Fan et al.’s [18] past 30 years [16], [36], [37] demonstrates that designing
scheme failed to ensure user anonymity. Subsequently, Das secure password-based MFA protocols remains challenging.
et al. [21] proposed a new scheme in 2012 and introduced For WSNs, their unique characteristics bring more challenges.
dynamic node addition for sensor network expansion. Still, Specifically, sensor nodes are often deployed in unattended
Li et al. [22] later revealed that Das et al.’s protocol cannot environments, making them highly vulnerable to physical
prevent the adversary from obtaining long-term session keys attacks [6]. In other words, adversaries can easily capture
and cannot ensure user anonymity. these nodes. Consequently, in addition to common attacks
In 2013, Xue et al. [23] proposed a lightweight two- on multi-factor authentication schemes, it is essential to
factor authentication scheme, which first uses temporary prevent node capture attacks, which significantly increase
credentials to achieve user anonymity. However, Xue et al.’s the challenge of designing secure authentication schemes
method was later shown to be ineffective. Specifically, Ma for WSNs. Although researchers continuously propose new
et al. [24] highlighted the necessity of public-key techniques schemes [26], [32], [33], [38], most still contain vulnera-
in password authentication schemes to ensure forward bilities. Instead, they rely on superficial fixes to address
secrecy, achieve user anonymity, and resist offline password vulnerabilities in previous insecure protocols, ultimately
guessing attacks. Nonetheless, prior failures and Ma et perpetuating the same issues. This lack of fundamental
al.’s principle [24] failed to attract sufficient attention from analysis limits the reliability of these protocols and also
protocol designers. Furthermore, many protocol designers hinders the development of secure schemes for WSNs.
[25]–[31] tend to prioritize the efficiency of schemes, which To address this issue, this work aims to provide deep
hinders the objective analysis of their deficiencies. insights into the inherent problems of existing protocols
In 2018, Wazid et al. [31] proposed a smart card-based pass- and their corresponding countermeasures. Specifically, we
word authentication protocol. Then, Wang et al. [6] found conduct a detailed analysis of two representative MFA
Wazid et al.’s scheme cannot achieve forward secrecy and protocols for WSNs [25], [26], identifying several critical
cannot resist offline password guessing attacks. Moreover, flaws that are also prevalent in many newly proposed
to address the “break-fix-break-fix” cycle in multi-factor protocols [28]–[30], [32], [33], [39], [40]. By analyzing the
authentication (MFA) for WSNs, they proposed a systematic root causes of these vulnerabilities, we highlight the funda-
evaluation framework for objectively assessing authenti- mental design challenges (e.g., resistance to offline password
cation schemes. Using this framework, they conducted a guessing, node capture, and de-synchronization attacks) that
comprehensive evaluation of 44 representative schemes. must be addressed. Based on these findings, we propose
In 2022, based on the protocol of Wazid et al. [31], Jabbari a new practical two-factor authentication protocol tailored
and Mohasef [26] proposed a multi-factor authentication to the security requirements of WSNs. In summary, our
protocol for the long range wide area network (LoRaWAN) contributions are three-fold:
using AES symmetric encryption technology. Jabbari and (1) We analyze two representative multi-factor authen-
Mohasef claimed that the scheme could achieve all proposed tication schemes for WSNs: Chaudhry et al. (ACM
security goals. Moreover, Wazid et al. [27] recently proposed ToIT’21) [25] and Jabbari-Mohasef (IEEE TII’22) [26].
a multi-factor authentication protocol based on cloud IoT. Our investigation demonstrates that neither scheme
Later, Chaudhry et al. [25] found that when there are achieves true multi-factor security and forward se-
multiple users, mutual authentication and key agreement crecy, and both are vulnerable to node capture attacks
cannot be implemented in Wazid et al.’s [27] protocol. Then, and offline password guessing attacks. Furthermore,
Chaudhry et al. [25] proposed an improved protocol to we reveal the root causes of these security weaknesses
remedy this problem. Still, as our analysis reveals, the and propose corresponding countermeasures.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 3

(2) Based on the empirical insights gained from analyzing TABLE 1

design vulnerabilities in state-of-the-art MFA schemes Notations and abbreviations.
for WSNs and their corresponding remediation strate- Symbol Description Symbol Description
gies, we present a new two-factor authentication Ui the ith user Sj the j th sensor node
GW the gateway node NS the network server
protocol for WSNs. We formally prove the security RIDU i pseudo identity of Ui s the long-term secret key of N S
of our proposed protocol under the random oracle RIDSj pseudo identity of Sj Kj shared key of trusted authority
IDi , IDSj identity of Ui , Sj T Di dynamic identity of Ui
model (ROM). Considering that certain practical TA the trusted authority P Wi , SCi password, smart card of Ui
scenarios like de-synchronization attacks [41] cannot Gen/Rep fuzzy extractor X long-term secret key of GW N
be fully captured by ROM analysis, we complement Ej the j th end-device πi , ρ i long-term secret keys of Ui
aes cmac AES-CMAC aes encrypt AES encryption algorithm
this with comprehensive heuristic analysis. h(·) one-way hash function RT SSj registration timestamp of Sj
(3) Following the well-established evaluation framework → an insecure channel ⊕ bitwise XOR operation
=⇒ a secure channel ∥ concatenation operation
of Wang et al. [6], we conduct a systematic com-
parison between our scheme and 18 state-of-the-art 2.2 Evaluation Criteria
protocols. The comparison results show that our
protocol outperforms its counterparts significantly. Wang et al. [6] propose an evaluation criteria tailored to
WSNs. These criteria are systematic, comprehensive, and
concrete, and have been widely accepted (see [7], [45]). We
2 A DVERSARY M ODEL & E VALUATION C RITERIA adopt these criteria to evaluate recently proposed protocols,
focusing on aspects such as security and user-friendliness.
2.1 Adversary Model A summary of the evaluation criteria is provided in Table 2.
A reasonable adversary model should assume that the
attacker possesses the most powerful capabilities possible, 3 R EVIEW OF C HAUDHRY ET AL .’ S SCHEME
except for those that would trivially compromise the security Recently, Chaudhry et al. [25] point out that Wazid et
of any protocol. We employ Wang et al.’s adversary model al.’s protocol [27] fails to achieve mutual authentication
proposed in 2018 [16]. It is one of the few harsh but in scenarios with multiple users. Chaudhry et al. [25] make
reasonable models, which has been highly recommended improvements to Wazid et al.’s protocol and prove that
(see [42], [43]) and widely accepted (see [44]–[46]). The their protocol is secure and effective. In this section, we
capabilities of the adversary A are as follows. briefly review Chaudhry et al.’s protocol [25]. The intuitive
C1. A can offline enumerate all items in the space of identity notations and abbreviations are listed in Table 1.
and password. The user identity ID usually has a fixed
3.1 Registration Phase
format and is randomly selected. Meanwhile, Wang et
al. have proved that the distribution of user passwords 1) Sensor Nodes Registration
usually follows the Zipf’s law [47]. This implies that the Step 1. T A computes RIDSj = h(IDSj ∥ Kj ) and T CSj =
space of password DP W and identity DID are limited h(IDsj ∥ Kj ∥ RT SSj ) for Sj .
in reality ( Did ≤ Dpw ≈ 106 ). Step 2. T A stores RIDSj , T CSj and h(RIDSj ∥ Kj ) in Sj .
C2. A can fully control the open channel. According to Step 3. T A stores RIDSj , T CSj , h(RIDSj ∥ Kj ) and secret
Dolev-Yao model [48], the adversary A can eavesdrop, key X in gateway GW N ’s memory.
intercept, modify, delete and insert any transmitted
2) User Registration
information over the public channel.
C3. A can obtain previous session keys. A memory leak or Step 1. Ui ⇒ T A: {IDi }.
improper sanitization of the sensor node or user device Step 2. T A ⇒ Ui : SCi :{T Di , T CU i , Ri , h(.)}.
will disclose the disclosure of the session key. It could When receiving the message, T A selects Ki , T Di
cause the attacker to launch a known key attack. and computes T CU i = h(IDi ∥Ki ). Then T A gets
′

C4. A can access the information stored in the GW N . When Ri = h(IDi ∥ X), Ki = h(Ki ∥ Ri ) and RIDU i =
A is an insider, she can obtain all information stored in h(IDi ∥ Ri ). T A stores T Di , T IDU i = IDi ⊕ Ki ,
the GW N except for its secret key. W IDU i = Ki ⊕ h(T Di ∥ X) in the verifier-table
C5. A can acquire the long-term secret key when consider- maintained by corresponding GW and sends a SCi
ing the forward secrecy. Forward secrecy is regarded as with {T Di , T CU i , Ri , h(.)} to Ui in a secure channel.
the last line of defense for system security. We assume Step 3. U i selects password P Wi , secret number k and im-
that A can obtain the long-term private key only when prints biometrics BIOi . Then Ui gets Gen(BIOi ) =
evaluating the protocol’s forward secrecy property. (σ i , τ i ), RP W i = h(P Wi ∥ k), Ai = h( IDi ∥ σi )
∗
C6. A can access secret information stored in sensor nodes. ⊕k, F i = h(RP W i ∥ σi ∥ Ri ∥ T CU i ), Ri =
∗
Sensor nodes are often deployed in unattended envi- Ri ⊕ h(IDi ∥ k), T Di = T Di ⊕ h(k ∥ σi ) and
∗
ronments making them vulnerable to physical attacks T Cui = T CU i ⊕ h(IDi ∥ σi ∥ P Wi ). After that,
[6], [7]. The attackers can launch attacks and get secret U i replaces T Di ,T CU i by T Di∗ ,T CU∗ i in SCi . Fi-
information stored in the nodes. nally, the smart card contains {T Di∗ , T CU∗ i , Ri∗ , Fi ,
C7. A can compromise any n-1 factors in an n-factor Ai , τi , h(.), Gen(.), Rep(.), t}.
authentication scheme. Multi-factor security means the
attacker cannot break the security of an n-factor scheme 3.2 Login and Authentication Phase
even if she obtains n-1 authentication factors. Step 1. Ui → GW : M sg1 = {M1 , M2 , M3 , M4 , T1 }.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 4

TABLE 2
Evaluation criteria.
Short term Definition in WSNs
S1 No password verifier-table The verifier-table related to password should not be stored in the gateway and sensor nodes.
S2 Password friendly The user can choose the password at will and change it locally.
S3 Password security The gateway’s privileged administrator cannot break the user’s password.
S4 No smart card loss attack If the attacker obtains the information stored in the smart card, she cannot increase her attack advantage.
S5 Resistance to known attacks The protocol can resist all known attacks.
S6 Scheme repairability The scheme is able to revoke smart cards and add dynamic sensor nodes.
S7 Establishment of the session key A shared session key must be established to protect the security of the next communication.
S8 No clock synchronization It is best not to use clock synchronization, which might bring about de-synchronization attacks.
S9 Timely typo detection The smart card should detect and prompt the user for authentication failure due to a typo in time.
S10 Mutual authentication. Participants should be able to authenticate each other’s identities.
S11 User anonymity The adversary cannot obtain the identity and cannot distinguish whether the two messages are from the same user.
S12 Forward secrecy If the attacker obtains a long-term secret key, she cannot get the previous session key.

The user enters {IDi , P Wi , BIOi }. Then SCi com- any de-synchronization between GW and Ui , the
putes σi∗ = Rep(BIOi∗ , τi ), k = Ai ⊕ h(IDi ∥ σi∗ ), GW stores previous T Di in temporary variable, and
Ri = Ri∗ ⊕ h(IDi ∥ k), RIDU i = h(IDi ∥ Ri ), on the next login, it is updated with the current one.
T CU i = T CU∗ i ⊕ h(IDi ∥ σi∗ ∥ P Wi∗ ), RP Wi∗ = Step 5. When receiving the M sg4 , Ui checks the freshness of
h(P WU∗ i ∥ k) and Fi∗ = h(RP Wi∗ ∥ σi∗ ∥ Ri ∥ T CU i ). T4 by comparing with current timestamp Tcur −T4 ≤
After that, SCi checks if Fi∗ = Fi . If Fi∗ ̸= Fi , rejects ∆T . Ui gets r3 = M10 ⊕ h(h(RIDU i ∥ T CU i ∥ r1 ) ∥
the request. The SCi selects T1 , r1 and computes T3 ), h(h(RIDSj ∥ Kj ∥ T3 )) = M11 ⊕ h(h(RIDU i ∥
′
M1 = T Di∗ ⊕ h(k ∥ σi ), M2 = RIDSj ⊕ h(T CU i ∥ T CU i ∥ r1 ) ∥ RIDSj ∥ r3 ), SKij = h(h(h(RIDSj ∥
IDi ∥ T1 ), M3 = h(RIDU i ∥ T CU i ∥ T1 ) ⊕ r1 and Kj ) ∥ T3 ) ∥ h(RIDU i ∥ T CU i ∥ r1 ) ∥ RIDSj ∥ r3 ∥
′
M4 = h(IDi ∥ RIDSj ∥ T CU i ∥ r1 ∥ T1 ). Ui sends T3 ), M14 = h(SKij ∥ T3 ) and M15 = h(RIDU i ∥
M sg1 = {M1 , M2 , M3 , M4 , T1 } to GW . T Dinew ∥ T4 ). Ui then checks if M14 = M12 & M15 =
Step 2. GW → Sj : M sg2 = {M6 , M7 , M8 , T2 }. M13 . Upon success, Ui computes T Dinew = T Dinew ⊕
After receiving the request, GW checks the freshness h(RIDU i ∥ T CU i ∥ r1 ∥ T4 ) and replaces T Di by
′
of T1 by comparing with current timestamp Tcur − T Dinew . Ui keeps SKij as shared key with Sj .
T1 ≤ ∆T . GW uses M1 to extract T IDU i and
W IDU i . GW computes Ki = h(M1 ∥ X) ⊕ W IDU i , 4 ANALYSIS OF C HAUDHRY ET AL .’ S SCHEME
where X is the shared secret key. Then computing In this section, we reveal that although Chaudhry et al. [25]
IDi = Ki ⊕ T IDU i , Ri = h(IDi ∥ X), RIDU i = proposed an improved protocol to address the problems of
h(IDi ∥ Ri ), RIDSj = M2 ⊕ h(T CU i ∥ IDi ∥ T1 ), Wazid et al.’s scheme [27], their scheme fails to achieve the
r1 = M3 ⊕ h(RIDU i ∥ T CU i ∥ T1 ) and M5 = claimed security properties.
h(IDi ∥ RIDSj ∥ T CU i ∥ r1 ∥ T1 ). GW will reject
4.1 No Truly Multi-factor Security
the request if M5 ̸= M4 . Otherwise, GW generates
r2 , T2 and computes M6 = h(T CSj ∥ RIDSj ) ⊕ r2 , Generally, a protocol can achieve multi-factor security if the
M7 = h(RIDU i ∥ T CU i ∥ r1 ) ⊕ h(T CSj ∥ T2 ), and adversary cannot break the security of the remaining factor
M8 = h(RIDSj ∥ T CSj ∥ h(RIDSj ∥ Kj ) ∥ r2 ∥ T2 ). when she obtains all the other factors [16]. However, we
Then GW sends M sg2 = {M6 , M7 , M8 , T2 } to SN j . find that Chaudhry et al.’s scheme [25] cannot achieve this
goal. The specific attack steps are as follows.
Step 3. Sj → GW : M sg3 = {M10 , M11 , M12 , T3 }.
Step 1. A chooses IDi∗ , P Wi∗ from Did × Dpw .
Sj checks the freshness of T2 by comparing with
Step 2. A computes σi∗ = Rep(BIOi , τi ).
current timestamp Tcur − T2 ≤ ∆T . Then Sj com-
Step 3. A computes k ∗ = Ai ⊕ h(IDi∗ ∥ σi∗ ).
putes r2 = M6 ⊕ h(T CSj ∥ RIDSj ), h(RIDU i ∥
Step 4. A computes Ri∗ = Ri∗ ⊕ h(IDi∗ ∥ k).
T CU i ∥ r1 ) = M7 ⊕ h(T CSj ∥ T2 ) and M9 = ∗ ∗
Step 5. A computes RIDU i = h(IDi ∥ Ri ).
h(RIDSj ∥ T CSj ∥ h(RIDSj ∥ Kj ) ∥ r2 ∥ T2 ).
Step 6. A computes T CU i = T CU i ⊕ h(IDi∗ ∥ σi∗ ∥ P W ∗ i).
∗ ∗
Sj rejects if M9 ̸= M8 and otherwise generates
Step 7. A computes RP Wi∗ = h(P Wi∗ ∥ k ∗ ).
r3 , T3 and computes M10 = h(h(RIDU i ∥ T CU i ∥
Step 8. A computes Fi∗ = h(RP Wi∗ ∥ σi∗ ∥ Ri ∥ T CU i ).
r1 ) ∥ T3 ) ⊕ r3 , M11 = h(h(RIDU i ∥ T CU i ∥ r1 )
Step 9. Repeat step 1∼8 until P Wi∗ satisfies Fi∗ =Fi .
∥ RIDSj ∥ r3 ) ⊕ h(h(RIDSj ∥ Kj ) ∥ T3 ), SKij =
h(h(h(RIDSj ∥ Kj ) ∥ T3 ) ∥ h(RIDU i ∥ T CU i ∥ r1 ) ∥ The time complexity: O((6TH + TB + 3TXOR ) × |DID | ×
RIDSj ∥ r3 ∥ T3 ), M12 = h(SKij ∥ T3 ). The Sj sends |DP W |), where TH is the time of hash-function, TB is the
M sg3 = {M10 , M11 , M12 , T3 } to GW . time of fuzzy extractor, |DP W | and |DID | are the space of ID
and P W . Generally, the user’s identity has a fixed format,
Step 4. GW → Ui : M sg4 = {M sg3 , M13 , T Dinew , T4 }. and the protocol allows users to choose their passwords
After receiving M sg3 , GW checks the freshness freely. Therefore, the space of password and identity is
of T3 by comparing if Tcur − T3 ≤ ∆T . GW limited in reality (D ≤ D 6
ID P W ≈ 10 [47]). It is reasonable
generates {T Dinew , T4 } and computes T Dinew = that the adversary can launch this attack.
T Dinew ⊕ h(RIDU i ∥ T CU i ∥ r1 ∥ T4 ), T Di =
T Dinew , M13 = h(RIDU i ∥ T Dinew ∥ T4 ) and 4.2 Offline Password Guessing Attack
W IDU i = Ki ⊕ h(T Dinew ∥ X). Then GW sends Chaudhry et al.’s scheme [25] is also vulnerable to another
M sg4 = {M sg3 , M13 , T Dinew , T4 } to Ui . To avoid offline password guessing attack. This attack also makes the
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 5

protocol unable to achieve true multi-factor security. The scheme could be used in LoRaWAN networks. Thus, they
specific attack steps are as follows. propose a new multi-factor authentication scheme for the
Step 1. A chooses IDi∗ , P Wi∗ from Did × Dpw . LoRaWAN network. In this section, a brief review of their
Step 2. A computes σi∗ = Rep(BIOi , τi ). proposed scheme [26] is provided. The intuitive notations
Step 3. A computes k ∗ = Ai ⊕ h(IDi∗ ∥ σi∗ ). and abbreviations are listed in Table 1.
Step 4. A computes Ri∗ = Ri∗ ⊕ h(IDi∗ ∥ k).
∗ ∗ 5.1 Registration Phase
Step 5. A computes RIDU i = h(IDi ∥ Ri ).
Step 6. A computes T CU i = T CU i ⊕ h(IDi∗ ∥ σi∗ ∥ P Wi∗ ).
∗ ∗ 1) User Registration
Step 7. A computes r1∗ = M3 ⊕ h(RIDU ∗ ∗
i ∥ T CU i ∥ T1 ).Step 1. Ui ⇒ N S:{M IDi }.
∗ ∗
Step 8. A computes RIDSj = M2 ⊕ h(T CU i ∥ IDi ∥ Ti ). Ui chooses the identity IDi and password P Wi . She
Step 9. A computes M4∗ = h(IDi∗ ∥ RIDS∗ j ∥ TCUi ∗
∥ r1∗ ∥ T1). computes M IDi = aes128 cmac (πi , IDi |ρi ) and
Step 10. Repeat step 1 ∼9 until P Wi , IDi meet M4∗ =M4 .
∗ ∗ sends it to the N S.
The time complexity: O((7TH + TB + 5TXOR ) × |DID | × Step 2. N S ⇒ Ui : {Ai , T IDi }.
|DP W |). This attack is similar to the above. The adversary N S chooses a random identity T IDi for Ui and
can obtain the victim’s password in polynomial time, which computes Ai = aes128 cmac(s, T IDi ) ⊕ M IDi ,
breaks the multi-factor security of the protocol. where s is the long-term secret key of N S. Then
N S computes CM IDi ′ = M IDi ⊕ s, CM IDi =
4.3 No Forward Secrecy aes128 cmac(s, CM IDi ′ ) and generates a counter
For a secure authentication scheme, forward secrecy is SU Cnti = 0. It keeps SU Cnti and CM IDi in its
a significant feature, which concerns the security of the database for auditing and sends Ai , T IDi to Ui .
previous session key. Even if the adversary can get the long- Step 3. When receiving the message, Ui generates a
term private key of the gateway/server, she cannot calculate counter U SCnti = 0. Furthermore, Ui imprints her
any previous session key [16]. We reveal that Chaudhry et biometrics Bi at SM Di . Then she calculates
al.’s scheme [25] cannot achieve forward secrecy. Gen(B i ) = (βi , αi ), Ki = aes128 cmac (βi , IDi |
P Wi ) and Ci = aes128 encrypt(Ki , πi |ρi |M IDi ||
Step 1. A uses M1 to extract T IDU i , W IDU i .
Step 2. A computes k = W ID ⊕ h(M ∥ X). IDi | Ai |T IDi |U SCnti ). SM Di stores Ci and αi .
i Ui 1
Step 3.A computes Ri = h(IDi ∥ X). 2) Offline End-Device Registration Phase
Step 4.A computes RIDU i = h(IDi ∥ X).
The one who could connect and configure Ej , computes
Step 5.A computes T CU i = h(IDi ∥ ki ).
Kij = aes128 cmac(πi , DevEU Ij |ρi ) and load it to Ej
Step 6.A computes r1 = M3 ⊕ h(RIDU i ∥ T CU i ∥ T1 ).
Step 7.A computes h(RIDUi ∥ T CUi ∥ r1 )=M7 ⊕h (T CSj ∥T2 ). offline. Ej generates a counter EU Cntj = 0. Then the
Step 8.A computes r3 = M10 ⊕ h(h(RIDU i ∥ T CU i ∥ r1 )). Ej stores Kij and EU Cntj in its memory securely. At the
Step 9.A computes SKij = h(h(RIDSj ∥ Kj ) ∥ T3 ∥ end, the user generates a new number U ECntj = 0 and
h(RIDU i ∥ T CU i ∥ r1 ) ∥ RIDSj ∥ r3 ∥ T3 ). appends U ECntj to the value of Ci in her SM Di .
The time complexity: O(9TH + 4TXOR ). As in the above 5.2 Login and Authentication Phase
attack, adversaries can obtain the session key of any previous
session. The protocol cannot achieve forward secrecy. Step 1. Ui → N S : M1 = {T IDi′ , Cin }.
First, Ui inputs IDi , P Wi and biometrics Bi . SM Di
4.4 Node Capture Attack computes βi = Rep(Bi , αi ) and Ki = aes128 cmac
Since sensor nodes are usually unattended, the adversary can (βi , IDi | P Wi ). Then it computes aes128 decrypt
use physical attacks [6], [7] to obtain the secret information (Ki, Ci) = (πi′ |ρ′i|MIDi′ |IDi′ |A′i|TIDi′ |USCnt′i|UECnt′i).
of the sensor node. Under this assumption, we find that And it checks if IDi′ = IDi . If so, SM Di computes
Chaudhry et al.’s scheme [25] cannot resist node capture Kij = aes128 cmac(πi′ , DevEU Ij |ρ′i ). Then SM Di
1
attacks. Then the adversary can obtain all previous session computes Cij = aes128 decrypt(Kij , λi ). It gets
keys. The specific attack steps are as follows. U ECnti = U ECnt′i + 1, ECntj = U ECnt′i and
′
2
Cij = aes128 decrypt (λi , DevEU Ij |ECntj | pad16 ).
Step 1. A computes r2 = M6 ⊕ h(T CSj ∥ RIDSj ).
Afterward, Ui computes U SCnt′i = U SCnt′i +1,
Step 2. A computes h(RIDUi ∥ TCUi ∥ r1) = h(TCSj ∥ T2) ⊕ M7.
Step 3. A computes r3 = M10 ⊕ h(h(RIDU i ∥ T CU i ∥ r1 )). Cnti = U SCnt′i , Kin = A′i ⊕ M IDi′ , and Cin =
Step 4. A computes SKij = h(h(RIDSj ∥ Kj ) ∥ T3 ∥ aes128 encrypt(Kin , M IDi′ |Cnti |Cij 1 2
|Cij |DevEU Ij ).
h(RIDU i ∥ T CU i ∥ r1 ) ∥ RIDSj ∥ r3 ∥ T3 ). Due to the Cipher Block Chaining (CBC) mode of
the AES encryption, the user needs to update the
The time complexity: O(4TH + 3TXOR ). The adversary can
values of U ECnt′i and U SCnt′i . And the counter
calculate the session key by the above attack in polynomial
Cnti is used to resist the replay attack. Then Ui
time, making the security of the protocol invalid.
delivers M1 to N S.
Step 2. N S → Ej : M2 = {Cnj : KeyEstablishReq}.
5 R EVIEW OF J ABBARI -M OHASEF ’ S SCHEME Upon receiving M1 , N S employs s and T IDi′ to
In 2022, Jabbari and Mohasef [26] claim that it is necessary to get Kni = aes128 cmac(s, T IDi′ ). Subsequently, it
′ ′
ensure the security and privacy of the information collected decrypts Cin as (M IDi′ |Cnt′i |Cij1 |Cij2 |DevEU Ij′ ) =
by the end devices. It will facilitate the use of LoRaWAN aes128 decrypt(Kni , Cin ), CM IDi′′ = M IDi′ ⊕ s,
and gain users’ trust. However, no suitable authentication CM IDi′ = aes128 cmac (s, CM IDi′′ ) and checks
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 6

if CM IDi′ is equal to the stored CM IDi . If it 6.1 No Truly Multi-factor Security

does not hold, N S rejects the request. Otherwise, We reveal that Jabbari-Mohasef’s scheme [26] fails to achieve
it checks Cnt′i > SU Cnti . Then it selects a new true multi-factor security. The password can be guessed if
random number, λn , and use N wkSEncKeynj to an adversary obtains the user’s biometric information and
′ ′
encrypts (CID|Cij1 |Cij2 | DevEU Ij′ | λn ), which is the smart card. The specific attack steps are as follows.
key shared between N S and Ej . Then it generates
Step 1. A computes Gen(Bi ) = (βi , αi ).
a Message Integrity Code (MIC) for this message
Step 2. A chooses IDi∗ , P Wi∗ from Did × Dpw .
to provide the integrity of the message. Finally, N S
Step 3. A computes Ki = aes cmac(βi , IDi′ ∥ P Wi′ ).
produces the result Cnj and sends M2 to Ej .
Step 4. A computes (πi∗ |ρ∗i |M IDi∗ || IDi∗ |A∗i |T IDi∗ | U SCnt∗i )
Step 3. Ej → N S : M3 = {Cjn : KeyEstablishAns}.
= aes encrypt(Ki , Ci ).
The end-device Ej uses the key N wkSEncKeyjn to
′ ′ Step 5. Repeat step 1∼4 until IDi∗ meets (IDi∗ = IDi ).
get (CID′ |Cij1 |Cij2 |DevEU Ij′ |λ′n ). Then, it use Kji
′ ′ The time complexity: O((TB + Taesenc + Taesmac ) × |DID | ×
to decrypt Cij1 as (λ′i ) =aes128 encrypt(Kji , Cij1 ).
′ |DP W |), where Taesmac is the time of AES-CMAC algorithm,
It also computes Cij2 as (DevRU Ij′′ |ECnt′j |pad16 ) and Taesenc is the time of AES encryption algorithm. Similar
′
=aes128 encrypt(λ′i , Cij2 ). It gets the DevEU Ij′′ and to Section 4.1, the offline password guessing attack can
checks if DevEU Ij′′ = DevEU Ij′ = DevEU Ij and obtain the password in polynomial time, thereby breaking
ECnt′j > EU Cntj . If it holds, this request is the multi-factor security of the authentication scheme.
initiated by Ui . Then the Ej uses random number
λj to computes EU Cntj = ECnt′j , SKji = λ′i 6.2 Node Capture Attack
⊕λj , Cji 1
=aes128 encrypt(Kji ⊕λ′i ,λj ) and Cij 2
= We also perform a node capture attack and demonstrate
aes128 encrypt(λj , SKji ). It encrypts (Cji 1
|Cji 2
|λ′n ) that Jabbari-Mohasef’s scheme [26] fails to resist such an
by using N wkSEncKeyjn , computes the message’s attack. Specifically, an adversary can compute session keys
MIC value and gets the result Cjn . Furthermore, Ej for all previous communications between the user and the
sends M3 = {Cjn : KeyEstablishAns} to N S. sensor node. The specific attack details are as follows.
Step 4. N S → Ui : M4 = {Cni }. ′ ′
Step 1. A decrypts Cnj = (CID|Cij1 |Cij2 |DevEU Ij′ |λn ) by
N S uses N wkSEncKeynj to decrypt the message using N wkSEncKeynj .
′
and check the MIC value. Thus, N S gets Step 2. A computes λ′i =aes encrypt(Kji , Cij1 ).
(Cji1
|Cji2
|λ′n ). Then, it verifies if λ′n =λn . If so, N S ′ ′
Step 3. A decrypts Cjn = (Cji1 |Cji2 |λ′n ).
selects a new temporary identity T IDinew and gets Step 4. A decrypts (λ′j ) = aes decrypt(Kij ⊕ λi , Cji1 ).
′

Anew = aes128 cmac(s, T IDinew ) ⊕ M IDi , SU Cnti ′ ′

i Step 5. A decrypts (SKji ) = aes decrypt(λ′j , Cji2 ).
= Cnt′i and Cni = aes128 encrypt (Kni , Cji 1
| Cji 2
|
new new ′
T IDi | Ai |Cnti ). N S sends M4 to Ui . The time complexity: O(4Taesdec + Taesenc ), where Taesdec is
Step 5. The user Ui computes aes128 decrypt(Kin , Cni )= the time of AES decryption. It is clear that when the nodes
′ ′ ′ ′
(Cji1 | Cji2 |T IDinew |Ainew |Cnt′i ) and checks whether are attacked, the protocol cannot maintain forward security.
Cnti = U SCnti . If it holds, she decrypts (λ′j )
′ ′
6.3 Denial of Service Attack
′
′
= aes128 decrypt(Kij ⊕ λi , Cji1 ) and (SKji ) =
Jabbari-Mohasef’s scheme [26] allows users to locally update
′
′ 2
aes128 decrypt(λj , Cji ). Then she computes SKij their passwords or biometrics, providing a convenient
= λi ⊕ λ′j and checks whether SKij = SKji ′
. Then feature for users. However, we reveal that this functionality
user establishes a session key with Ej . Ui computes makes the scheme vulnerable to denial of service (DoS)
′
Cinew = aes128 encrypt(Ki , πi′ |ρ′i |M IDi′ |IDi′ |Ainew | attacks. The specific attack details are as follows.
′
T IDinew |U SCnt′i |U ECnt′i ) and replaces Ci with Cinew . Step 1. A computes Gen(Bi ) = (βi , αi ).
Step 2. A chooses IDi∗ , P Wi∗ from Did × Dpw .
5.3 Biometric and Password Update Phase
Step 3. A computes Ki = aes128 cmac(βi , IDi∗ ∥ P Wi∗ ).
Step 1. Ui first inputs IDi , P Wi and Bi . Then SM Di Step 4. A computes aes encrypt(Ki , Ci ) = (πi∗ |ρ∗i |M IDi∗ ||
computes βi = Rep(Bi , αi ) and Ki = aes128 cmac IDi∗ |A∗i |T IDi∗ | U SCnt∗i )
(βi , IDi |P Wi ), and decrypts (πi′ |ρ′i |M IDi′ |IDi′ | A′i | Step 5. Repeat step 1∼4 until IDi∗ meets (IDi∗ = IDi ).
T IDi′ | U SCnt′i | U ECnt′j ) = aes128 decrypt (Ki , Ci ), Step 6. A inpus PWi, IDi, Bi and initiates an update request.
and verifies whether IDi′ = IDi and M IDi′ = Step 7. A inputs Binew , P Winew .
aes128 cmac (πi′ , IDi |ρ′i ). The time complexity: O((TB + Taesenc + Taesmac ) × |DID | ×
Step 2. Ui enters new P Winew and Binew . SM Di calculates |DP W |). An adversary can update a user’s unknown pass-
Gen(Binew ) = (βinew , αinew ), Kinew = aes128 cmac word and biometric information, causing the smart device
(βinew , IDi | P Winew ) and Cinew . Finally, SM Di re- to deny service to the legitimate user. This is a common
places Ci , αi with Cinew , αinew . vulnerability in protocols that allow local password updates.

6 A NALYSIS OF J ABBARI -M OHASEF ’ S SCHEME 7 O UR PROPOSED SCHEME

Jabbari and Mohasef [26] claimed that their protocol could After analyzing the two protocols [25], [26], we first cate-
achieve the coexistence of efficiency and security. However, gorize the identified issues. It is worth noting that security
we reveal that their scheme [26] fails to meet the fundamental issues are not limited to the analyzed protocols but are also
goals of a secure multi-factor authentication protocol. prevalent in other protocols. Therefore, we analyze their
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 7

TABLE 3
fundamental causes and propose effective countermeasures. Notations and abbreviations in our protocol.
Subsequently, we reexamine the common issues observed
Symbol Description Symbol Description
in these failed protocols and propose a new two-factor
Ui the ith user Sj the j th sensor node
password-based authentication protocol for WSNs. GWN the gateway SCi smart card of the Ui
A the adversary HoneyList a list recording forged keys
7.1 Countermeasures of Existing Defects IDi identity of Ui DIDi dynamic identity of Ui
After analysis, we find both Chaudhry et al.’s [25] and SIDj identity of Sj h(·) one-way hash function
Jabbari-Mohasef’s scheme [26] have the following defects. P Wi password of Ui XGW N GW N ’s long-term secret key
SK the session key Y GW N ’s public key
7.1.1 Vulnerable to offline password guessing attacks → an insecure channel ∥ concatenation operation
=⇒ a secure channel ⊕ bitwise XOR operation
Multi-factor security is defined such that when the adversary
obtains n − 1 factors of an n-factor authentication protocol, For the second type of offline password guessing attack,
the protocol remains secure [16]. Therefore, it is reasonable the adversary can obtain the verifier by eavesdropping on
to assume that the adversary can obtain all factors except the information transmitted over public channels (see Section
password. Under this assumption, both schemes [25], [26] 4.2). In 1999, Halevi and Krawczyk [51] pointed out that
fail to resist offline password guessing attacks (see Section traditional single-factor password authentication is not
4.1, 4.2, and 6.1) and cannot achieve true multi-factor security. immune to offline password guessing attacks if public-
As we know, an offline password guessing attack refers to key technology is not employed. Later, Ma et al. [24]
a scenario where the adversary can gain a verifier in which proposed that all security parameters stored in a smart card
the only two unknown parameters are the password and the could be compromised. Then, smart card based password
identity number. All other parameters are either known or authentication schemes are downgraded to traditional single-
can be deduced from the password, identity, and additional factor password authentication schemes. In such cases,
known parameters [49]. Using the value of the verifier, the security of the scheme relies only on the password.
the adversary can determine the correctness of guessed To address this issue, Ma et al. proposed “The public-
passwords. Since the attack process is offline, it requires no key principle”, asserting that public-key cryptography is
additional equipment and remains undetectable to others. essential for two-factor authentication schemes to resist
From the protocol design perspective, adversaries can obtain offline password guessing attacks. And they pointed out a
the verifier through different methods to launch attacks. large number of schemes as evidence. Furthermore, for n-
Attacks on Chaudhry et al.’s [25] and Jabbari-Mohasef’s [26] factor authentication, we assume that the adversary can
schemes can be categorized into two types. get n − 1 factors except for the password. Under this
For the first one, to enable functionalities like “local assumption, n-factor authentication schemes degrade to
password update” or “timely typo detection”, the smart card traditional single-factor password authentication schemes.
must store the verifier to authenticate the user identity. How- Ma et al.’s [24] principle is therefore applicable to multi-
ever, protocols that store the verifier in the smart card are factor authentication as well.
vulnerable to offline password guessing attacks. Adversaries To address the issue in Chaudhry et al.’s scheme [25],
can obtain the verifier (e.g., through a side channel attack on public-key technology can be employed as a remedy. Ui first
the smart card [50]) and verify the correctness of the guessed chooses a random number a1 and uses GW N ’s public key
password. As demonstrated in our analysis, Chaudhry y = g x to compute X1 = g a1 , X2 = y a1 . Then Ui generates
et al. [25] and Jabbari-Mohasef [26] neither consider this the verifier M4′ = h(IDi ∥ RIDSj ∥ T CU i ∥ r1 ∥ T1 ∥
problem nor employ effective countermeasures to prevent X2 ) and M sg1 = {M1 , M2 , M3 , M4 , X1 , T1 }. In this way, in
such attacks. Thus, their schemes fail to resist this type of addition to the password and identity, X2 remains unknown
attack (see Section 4.1, Section 6.1). to the adversary. Since X2 can only be computed by GW N ,
To reconcile the need for local password updates with the the adversary cannot use M4 to verify the correctness of
risk of offline password guessing attacks caused by smart the guessed password. Public-key encryption technology
card storage, Wang et al. [16] proposed the “fuzzy-verifier” effectively prevents this type of offline password guessing
technique, which can be employed to solve the above offline attack, and it can be applied to similar protocols.
guessing attack. Specifically, for Chaudhry et al.’s protocol
[25], the verifier Fi∗ = h(RP Wi∗ ∥ σi∗ ∥ Ri ∥ T CU i ). We 7.1.2 Vulnerable to node capture attacks
reset Fi∗ = h(RP Wi∗ ∥ σi∗ ∥ R
i ∥ T CU i ) mod n0 , where We demonstrate that Chaudhry et al.’s [25] and Jabbari-
n0 is an integer and n0 ∈ 24 , 28 . The adversary can find Mohasef’s [26] protocols are subject to node capture attacks
|DID × Dpw | /n0 ≈ 232 pairs of (IDi∗ , P Wi∗ ), which satisfy the (see Section 4.4 and 6.2). The adversary can obtain the secret
equation Fi = Fi∗ . However, there is only one correct pair key of the node through the node capture attack. Then she
of correct identity number and password. If the adversary can use it to obtain previous session keys, which breaks
desires to know whether the guessed password is correct, the protocol’s forward secrecy. The user usually sends a
she must initiate an online request to the gateway. The random number to the gateway to establish a session key.
adversary’s advantage is negligible, as she must sift through The gateway will make the random number XOR the node’s
232 possible answers via online requests to the gateway. secret parameters, and then send it to the node. After that,
Thus, the “fuzzy-verifier” effectively solves this type of the node makes its random number XOR the secret and
offline password guessing attack. Similarly, this approach sends it to the gateway. In this process, the gateway can
can be applied to Jabbari-Mohasef’s protocol [26]. Due to obtain all the parameters to calculate the session key. It is
space limitations, it will not be repeated here. known that the gateway and the node only use the shared
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 8

User Registration Phase Building on the previous analysis, we propose a new

User Gateway protocol that adopts the elliptic curve public-key algorithm.
Input IDi , P Wi
Select a random number b
To resist offline dictionary guessing attacks, the protocol
HP Wi = H(P Wi ∥b) Check IDi integrates the “fuzzy-verifier” mechanism [16] and the
{IDi , HP Wi }
−−−−−−−−−−−−−−−−−−−−−−−−→
via a secure channel
Generate a registration time Treg “honeywords” approach [55]. Furthermore, we implement
Vi = H(IDi ∥XGW N ∥Treg ) elliptic curve multiplication on the sensor node and the user
Ai = H(IDi ∥HP Wi ) mod n0
side to achieve forward secrecy and user anonymity. The
{SCi }
←−−−−−−−−−−−−−−−−−−−−−−−−
via a secure channel
Bi = H(HP Wi ∥IDi ) ⊕ Vi specific details are as follows. The intuitive notations and
Store {{IDi , Treg , ai , HoneyList = N U LL}} abbreviations are listed in Table 3.
Store {Ai , Bi , P, Y, b, H(·), Ai ⊕ ai }

7.2 Initialization Phase

Fig. 2. The user registration phase of our proposed scheme.
The protocol includes three types of participants: user Ui ,
secret to protect the parameter. The gateway is legal and gateway GW N , and sensor node Sj . Our proposed scheme
credible, but the adversary can obtain the shared secret by is built on an elliptic curve E (generated by a base point P
breaking the sensor node. If an adversary captures a sensor with a large prime order p ) defined over a prime finite field
node, she can extract the shared secret and use it to derive Fp . The gateway chooses its long-term secret key XGW N ,
all parameters related to the session key, as described in which is known only to GW N . P is shared with all servers.
[7]. To mitigate this vulnerability, it is essential to ensure The GW N computes its public key as Y = P · XGW N , which
that neither the gateway nor the adversary can compute the is made publicly available. Each node Sj has been registered
secret parameters solely based on the shared secret. and shared the secret Pj = H(SIDj ∥XGW N ) with GW N .
Thus, we propose a design where the gateway verifies
session key-related content without being able to compute 7.3 Registration Phase
the session key itself. Public-key cryptography can help us
realize this design. Specifically, the user chooses a random R1. Ui ⇒ GW N :{IDi , HP Wi }.
number r1 and computes X1 = r1 · P , where P is a point Firstly, the user Ui chooses an identity and password
on the elliptic curve. Similarly, the node chooses a new pair {IDi , P Wi } and generates a random number b.
random number r2 and computes X2 = r2 · P . They send Then, user calculates HP Wi = H(P Wi ||b) and sends the
X1 , X2 to each other through the gateway. The session key register message {IDi , HP Wi } to the gateway GW N .
R2. GW N ⇒ Ui : SCi :{Ai , Bi , P, Y, H(·)Ai ⊕ ai }.
is then constructed as X3 = r1 · r2 · P . The gateway only
The gateway GW N first checks whether the IDi is in
verifies identity and data integrity. Importantly, because of
the database. Then, it computes Vi = H(IDi ||XGW N ||
the hardness of the elliptic curve discrete logarithm problem,
Treg ), where Treg is the registration time of the user
neither the adversary nor the gateway can derive X3 from
and XGW N is the long-term secret key of the GW N .
X1 and X2 . As a result, this approach effectively resists
And it selects a random number ai and computes
node capture attacks and ensures the forward secrecy of
Ai = H(IDi ||HP Wi ) mod n0 , Bi = H(HP Wi ||IDi )⊕Vi .
the protocol. Besides, we find that node capture attacks
The GW N stores {Ai , Bi , P, Y, H(·), Ai ⊕ ai } in smart
can compromise user anonymity [52]. Thus, the gateway
card SCi and sends it to user. The GW N stores
should avoid transmitting messages containing user identity
{IDi , Treg , ai , HoneyList = N U LL} into the database,
information when forwarding user requests to the node.
where HoneyList is a list specifically designed to record
7.1.3 Synchronization mechanism forged keys generated in response to potential attacks.
Both protocols employ the synchronization mechanism to R3. The user receives SCi : {Ai , Bi , P, Y, H(·), Ai ⊕ ai } and
achieve user anonymity. While time synchronization is a stores b into the smart card SCi .
commonly employed technique, it is not recommended 7.4 Login and Authentication Phase
due to its inherent vulnerabilities. As Wang et al. high-
lighted in [36], synchronization mechanisms may lead to L1. Ui → GW N :{C1 , C2 , X1 , DIDi }.
de-synchronization attacks or other problems (see Luo et Ui first enters her identity IDi and password P Wi . Then
al.’s attack [53] on Gope et al.’s scheme [54]). In addition the smart card SCi computes HP Wi∗ = H(P Wi∗ ||b)
to synchronization mechanisms, public-key cryptography and A∗i = H (IDi ||HP Wi∗ ) mod n0 . The SCi verifies
can also be employed to achieve user anonymity [20]. the user by checking whether A∗i = Ai . If A∗i ̸= Ai ,
Beyond anonymity, public-key technology can resist offline the smart card SCi will reject the user’s login request.
password guessing attacks and ensure forward secrecy, as Otherwise, SCi selects the corresponding sensor nodes
demonstrated in the aforementioned methods. Therefore, SIDj and two random numbers r1 , r2 . It computes
public-key cryptography can serve as a direct solution for ai = Ai ⊕ Ai ⊕ ai , X1 = r1 · P , X2 = r1 · Y ,
achieving anonymity. Besides, Chaudhry et al. [25] use a Vi = Bi ⊕ H(HP Wi ||IDi ), DIDi = IDi ⊕ H(X2 ),
time synchronization mechanism to ensure the freshness C1 = (SIDj ||r2 ||ai ) ⊕ H(X2 ||X1 ), C2 = H(C1 ||DIDi ||
of the scheme. Although it is effective, it will increase the X2 ||Vi ||SIDj ), sends {C1 , C2 , DIDi , X1 } to GW N .
complexity and energy consumption of the protocol. A more L2. GW N → Sj :{C3 , C4 , X1 }.
efficient alternative is the use of random numbers to ensure When the GW N receives the login request, it first
message freshness and prevent replay attacks, which can be computes X2∗ = X1 · XGW N , IDi∗ = DIDi ⊕H(X1 ||
employed in almost any protocol. X2 ), Vi∗ = H(IDi∗ ||Treg ||XGW N ), (SIDj∗ ||r2∗ ||a∗i ) = C1 ⊕
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 9

User Login and Authentication Phase

User Gateway Sensor Node

Input IDi∗ , P Wi∗

HP Wi∗ = H(P Wi ||b)
A∗i = H (IDi∗ ||HP Wi∗ ) mod n0 X2∗ = XGW N · X1
?
Check if A∗i = Ai IDi∗ = DIDi ⊕ H(X2 )
ai = A i ⊕ A i ⊕ ai Vi∗ = H(IDi∗ ∥Treg ∥XGW N )
Select two random numbers r1 ,r2 (SIDj∗ ∥r2∗ ∥a∗i ) = C1 ⊕ H(X2∗ ∥X1 ) r2∗ = H( SIDj ||Pj ) ⊕ C3
?
Vi = Bi ⊕ H(HP Wi ∥IDi ) Check if a∗i = ai C4∗ = H(r2 ||Pj ||SIDj ||X1 )
?
X1 = r1 · P C2∗ = H(C1 ||DIDi ||X2∗ ||Vi ||SIDj∗ ) Check if C4∗ = C4
?
X2 = r1 · Y Check if C2∗ = C2
DIDi = IDi ⊕ H(X2 ) Pj = H(SIDj ||XGW N ) Select a random number r3
C1 = (SIDj ∥r2 ∥ai ) ⊕ H(X2 ∥X1 ) C3 = r2 ⊕ H(SIDj ||Pj ) X 3 = r3 · P
C2 = H(C1 ∥DIDi ∥X2 ∥Vi ∥SIDj ) C4 = H(r2 ||Pj || SIDj ||X1 ) X4 = r3 · X1
{C1 , C2 , DIDi , X1 } {C3 , C4 , X1 }
−−−−−−−−−−−−−−−−−−−−−−−−→ −−−−−−−−−−−−−−−−−−−−−−−−→ SK = H(X1 ||X3 ||X4 ||r2 || SIDj )
via a public channel via a public channel
C5 = H(SK||r2 ||X1 ||X4 )
C7∗ = H(r2 ||X2 ||X3 ||Vi ||SIDj ||C5 ) C6∗ = H(r2 ||X3 ||C5 ||X1 ||SIDj ) C6 = H(r2 ||X3 || C5 ||X1 ||SIDj )
? ? {C5 , C6 , X3 }
Check if C7∗ = C7 Check if C6∗ = C6 ←−−−−−−−−−−−−−−−−−−−−−−−−
via a public channel
X4∗ = r1 · X3 C7 = H(r2 ||X2 ||X3 ||Vi ||SIDj ||C5 )
{C5 , C7 , X3 }
SK = H(X1 ||X3 ||X4∗ ||r2 ||SIDj ) ←−−−−−−−−−−−−−−−−−−−−−−−−
via a public channel
C5∗ = H(SK||r2 ||X1 ||X4 )
?
Check if C5∗ = C5

Fig. 3. The login and authentication phase of our proposed scheme.

H(X2∗ ||X1 ).Then GW N first checks if a∗i = ai . If it terminate the conversation. Otherwise, Ui computes
is not equal, GW N rejects this session. Otherwise, X4∗ = X3 · r1 , SK = H(X1 ||X3 ||X4∗ ||r2 ||SIDj ). If C5∗ =
∗ ∗ ∗ ∗
GW N computes C2 = H(C1 ||DIDi ||X2 ||Vi ||SIDj ) H(SK||r2 ||X1 ||X4 ), Ui and Sj successfully authenticate
and checks whether C2∗ = C2 . If it is not, GW N will each other and establish a session key SK to ensure the
reject this session and insert C2∗ into HoneyList when security of the subsequence conversation.
there are fewer than Ni (e.g., Ni =10) items in HoneyList.
If there are Ni items in HoneyList, GW N will suspend 7.5 Password Change Phase
Ui ’s smart card SCi until Ui re-registers. If C2∗ = C2 , P1. If Ui desires to update a new password, she inputs IDi ,
GW N uses XGW N to get Pj = H(SIDj ||XGW N ). Then the previous P Wi and the new password P Winew .
it computes C3 = r2 ⊕ H(SIDj ||Pj ), C4 = H(r2 ||Pj || P2. The smart card SC will compute HP Wi = H(P Wi ||b)
SIDj ||X1 ) and transmits {C3 , C4 , X1 } to Sj . and A∗i = H(IDi ||HP Wi ) to check the user identity.
L3. Sj → GW N :{C5 , C6 , X3 }. P3. If A∗i = Ai , the smart card SC computes HP Winew = H(
On receiving the message, Sj first uses Pj , SIDj to P W new || b), Anew
i = H(IDi ||HP Winew ), Binew = Bi ⊕
get r2∗ = H(SIDj ||Pj ) ⊕ C3 . Then it computes C4∗ =H( H(HP Wi ||IDi ) ⊕H(HP Winew ||IDi ) and replaces {Ai ,
r2 ||Pj ||SIDj ||X1 ) and compares whether C4∗ = C4 . The Bi } with {Anewi , Binew }. Otherwise, the smart card will
node will reject the request if it is not equal. Otherwise, it reject this request.
chooses a random number r3 and computes X3 = r3 · P , 7.6 Dynamic Node Addition Phase
X4 = r3 · X1 , SK = H(X1 || X3 ||X4 ||r2 || SIDj ), C5 =
D1. The sensor node sends the registration request to the GW N.
H(SK||r2 ||X1 ||X4 ), C6 = H(r2 ||X3 || C5 ||X1 ||SIDj ) and
D2. The GW N chooses a new SIDnew for new sensor node.
sends message {C5 , C6 , X3 } to the GW N .
Then GW N uses XGW N to compute Pnew = H(SIDnew ||
L4. GW N → Ui :{C5 , C7 , X3 }. XGW N ) and send {SIDnew , Pnew } to Snew .
The GW N first authenticates Sj by checking whether D3. The new sensor node will keep Pnew as its private key.
C6 = H(r2 ||X3 ||C5 ||X1 ||SIDj ). If so, it computes C7 =
H(r2 ||X2 ||X3 ||Vi ||SIDj ||C5 ) and sends {C5 , C7 , X3 } to 8 S ECURITY A NALYSIS
the user. Otherwise, the GW N will end the session. In this section, we define the security model and prove the
L5. When receiving the reply from gateway, Ui first calcu- security of the proposed protocol under the ROM.
lates C7∗ = H(r2 ||X2 ||X3 ||Vi ||SIDj ||C5 ) to authenticate Participants. In our protocol P, we have three types of
the GW N by checking whether C7∗ = C7 . If not, Ui will participants : the user U ∈ User, the GW N ∈ Gateway and
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 10

the sensor node S ∈ Sensor node. We use U i to denote obtain the session key and break the semantic security of
the ith user. Similarly, GW N denotes the Gateway and S j the protocol. The notion of freshness characterizes the fact
denotes the jth sensor node. Let I denote any instances, that an adversary cannot easily obtain the session key. The
which means I ∈ (U ∪ GW N ∪ S). instance I is fresh if: (1) I has been accepted and had a
Long term keys. Before authentication phase, there will session key. (2) I and its partner have not been asked for
be an initialization and registration phase to establish public Reveal (I) query. (3) The adversary is allowed to ask one
parameters and security foundations. The GW N owns a long- kind of Corrupt-query for U or its partner S and no Corrupt
term secret key XGW N and the corresponding public key Y . (GW N, 1) query.
The sensor node S owns an identity SIDS and a long-lived Correctness. If Ui and S j are partnered and accepted, they
key PS . The user U owns an identity IDU and a password will share a common session key.
P WU . Specifically, each P WU is independently sampled from Semantic security. One of the main purposes of the
the password space D(λ) according to the Zipf’s law [47]. authentication protocol is to protect the session key from
Queries. The adversary A can use oracle queries to being obtained by the adversary. In a protocol P, A can ask
interact with the participants of the protocol. The capabilities a polynomial time of Execute, Send, Reveal queries. It can
of the adversary A in the real attack are captured by oracle also ask for one time Test query. At the end of the game,
queries. The query types are as follows: the adversary tries to guess and output a bit b′ for the value
- Execute (U i , GW N, S j ). This query models a passive of b from Test-query. We definite that A wins the game if
attack (eavesdropping). The output of this query is the b′ = b and use Succ to denote this event. The advantage of
transcript of an honest execution among the three instances A in breaking semantic security of P is:
U i , GW N, S j .
Advake ′
p (A) = 2 Pr[Succ(A)] − 1 = 2 Pr [b = b] − 1
- Send (I, m). This query models an active attack of A. It
means that A sends the message m to the instance I. On For a secure smart card based password authentication
receiving the message m from Send query, I executes protocol, online password guessing attacks should be the
according to the protocol and sends the response to A. best strategy adopted by the adversary to break the protocol.
- Test (I). This query does not model A’s capability but Therefore, if the advantage of the A who can make at most
defines semantic security of the session key, which is only qsend online attacks satisfied:
valid for “fresh” sessions. If the session key of the instance ′

U i is not defined, the answer is ⊥. Otherwise, the oracle Advake ′ s

P,D (A) ≤ C · qsend + ϵ(ℓ)

randomly selects a bit b. If b = 1, it returns the session Then we say that the protocol is semantic secure. The D is
key to A; If b = 0, it returns a random string of the same the password space whose frequency distribution follows a
length as the session key. This query is allowed only once. Zipf’s law [47] and C ′ , s′ are the parameters of Zipf, ϵ(·) is
- Reveal (I). This query is used to model the known-key a negligible function, and ℓ is a system security parameter.
attack where I is user U or sensor node S. If the instance Before the security analysis, we introduce the computational
I has negotiated a session key SK and not asked by Test assumption required for the formal security proof:
(I), it outputs SK to A. Otherwise, it outputs ⊥. Elliptic Curve Gap Diffie-Hellman (ECGDH) problem:
- Corrupt (U, 1). According to the capability C7 in Section A (t, ϵ)-ECGDH attacker in G is a PPT machine ∆ running
2, A can break one factor of the two-factor protocol. This in time t such that
query is used to model that A can obtain the U ’s password.
The output is the user U ’s password P WU . AdvECGDH
g,G (∆) = Prx,y [∆
n (xP, yP ) = xyP
o]
- Corrupt (U, 2). Based on the capability C7, the adversary AdvECGDH
g,G (t) = max∆ AdvECGDH
g,G (∆)
can also break another factor of the protocol. This query
is used to model that A can obtain the smart card SC and the probability is taken over the random values x and y. The
the parameters stored in SC. The output of this query is ECGDH-Assumption states that AdvECGDH g,G (t) ≤ ϵ, Where ϵ
parameters in the user’s smart card. is a negligible value.
- Corrupt (GW N, 1). This query models the adversary’s Theorem 1. Let P denote the protocol we proposed in
capability C5. The output of this query is GW N ’s long- Section 7, |D| is the space of the password. Let A denote the
term secret key XGW N . adversary who against the semantic security of the protocol
- Corrupt (S, 1). This query models the adversary’s capa- within a time bound t, with qsend times Send-queries, qexe
bility C6. The output of this query is the shared secret PS times Execute-queries and qh times hash-queries. Then the
of the sensor node S. advantage of A to break the protocol P is
′
Partnering. We use the session identifier sid and partner Advake ′ s ECGDH ′
P (A) ≤ C · qsend + 6qh AdvP (t )
identifier pid to define partnering. We say that the two 2
instances U i and S j are partnering if all the following qh2 + 6qsend (qsend + qexe )
+ l
+
conditions are met. (1) Both instances have accepted; (2) The 2 p
session identifier sidU i = sidS j ; (3) The partner identifier where t′ ⩽ t + (qsend + qexe + 1) · Tm , Tm is time for scaler
P idU i = Sj and P idS j = Ui . The sid is denoted the order multiplication operation in G, C ′ , s′ are the parameters of
concatenation of all messages sent and received by the the Zipf’s law [47]. The specific proof are as follows.
instance U i (or S j ). Proof. We prove this theorem by a series of hybrid games,
Freshness. Assuming that A can execute Test (I) and starting with the real attack Game G0 and ending up with
Reveal (I) queries at the same time, then A can easily a game where the advantage of A is 0. In all games, the
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 11

oracle handles queries as described in the protocol. We Since the case of directly guessing Vi ’s value has been
have defined the following events for each game Gn , where ruled out before, the AskP ara5 event can be divided into
n = (0, 1, 2, ..., 8). the following two cases:
- Succn : The adversary A can successfully guess the bit b -The adversary asks a Corrupt(U, 1) query to compute
in Test-query. the value of Vi .
- AskParan : The adversary A can correctly compute the -The adversary asks a Corrupt(U, 2) query to compute
parameter Vi by asking a hash query H(·) on (IDi∗ || the value of Vi .
Treg ||XGW N ) or (HP Wi ||IDi ). We define these two events as AskP ara5 withCorrupt1
- AskAuthn : The adversary A can correctly compute and AskP ara5 withCorrupt2 , respectively. We first consider
the parameter Vi and ask a hash H(·) on (C1 ||DIDi || the probability of the event AskP ara5 withCorrupt1 . The
X2 ||Vi ||SIDj ) or (r2 ||X2 ||X3 ||Vi ||SIDj ||C5 ). adversary uses a Corrupt(U, 1) query to obtain user’s
- AshHn : On the basis of the above hash-queries, the password P WU . Since A does not know other parameters,
adversary A successfully asks a hash query on (X1 ||X3 || the probability of this event is the same as direct guessing.
X4 ||r2 ||SIDj ) to compute the session key SK. Then we have
Game G0 . This game is a real attack under the random qsend
Pr[AskP ara5 withCorrupt1 ] ≤ (7)
oracle model, thus, there are 2l
Advake Subsequently, A can use Corrupt(U, 2) query to obtain the
P (A) = 2 Pr [Succ0 ] − 1 (1)
parameters of the smart card, then she can compute the
Game G1 . In this game, we simulate hash-query H(·) and value of Vi by offline guessing user’s password P WU whose
H ′ (·) that appear in GameG6 later. The system maintains frequency distribution follows the Zipf’s law [47]. Then we
two hash lists ΛH and ΛA . The list ΛH is used to store the have
record of the hash queries. For example, for a hash query 1 s′
Pr[AskP ara5 withCorrupt2 ] ≤ c′ · qsend (8)
H(x) with x as input, the oracle first checks whether the list 2
ΛH contains a record (x, y). If so, the answer is y. Otherwise, According to the above equations, we have
the oracle chooses a random number y ∈ {0, 1}l as output 1 ′ s′ qsend
and stores the record (x, y) in the list ΛH . The list ΛA is c · qsend +
|Pr [Succ5 ] − Pr [Succ4 ]| ≤ (9)
2 2l
used to store the hash-queries record asked by adversary
Game G6 . In this game, we abort the game if the A
A. For other queries, we also simulate and keep the same
can compute the correct authenticator C2 , C7 by asking
as the real players would do. Therefore, this game is no
corresponding hash query and impersonating as a user or
different from a real attack. Then we have
the sensor node. The G5 and G6 are indistinguishable unless
|Pr [Succ1 ] − Pr [Succ0 ]| <= ϵ(l) (2) event AskAuth6 occurs, then we have
Game G2 . In this game, all oracles remain the same as |Pr [Succ6 ] − Pr [Succ5 ]| ≤ Pr [AskAuth6 ] (10)
Game G1 . To facilitate subsequent analysis, we need to
Pr[AskP ara6 ] − Pr [AskP ara5 ] ≤ Pr [AskAuth6 ] (11)
remove possible collisions.
The collisions include the following two types: Game G7 . In this game, we use private hash H ′ (·) to
-The collisions on the output of hash queries. replace the hash H(·) in the protocol. The G6 and G7 are
-The collisions on the message {{C1 , C2 , X1 , DIDi }, indistinguishable unless event AskH7 occurs, then we have
{C3 , C4 , X1 }, {C5 , C6 , X3 }, {C5 , C7 , X3 }}.
According to the birthday paradox principle [56], we have |Pr [Succ7 ] − Pr [Succ6 ]| ≤ Pr [AskH7 ] (12)

(qsend + qexe )
2
qh2 |Pr [AskAuth7 ] − Pr [AshAuth6 ]| ≤ Pr [AskH7 ] (13)
| Pr [Succ2 ] − Pr [Succ1 ] | ≤ + l+1 (3) ′
2p 2 Besides, since A cannot use the private hash H (·), then
Game G3 . In this game, we consider the situation that if 1
Pr [Succ7 ] = (14)
the adversary is lucky to guess the correct verifier directly 2
{C2 , C4 , C6 , C7 } in the protocol (without asking the hash Game G8 . In this game, we use the random self-reducibility
query H(·)), then we have of the Elliptic Curve Gap Diffie-Hellman problem to simulate
qsend the executions. Since the G8 and G7 are indistinguishable,
|Pr [Succ3 ] − Pr [Succ2 ]| ≤ (4)
2l then
Game G4 . In this game, we abort the game if the adversary Pr [AskH8 ] = Pr [AskH7 ] (15)
is lucky to directly guess the Vi correctly (without asking
The event AskH8 occurs means that A had queried the
the hash query H(·). Then we have
random oracles H(·) on H(X1 ||X3 ||ECGDH(X1 , X3 )||r2 ||
qsend SIDj ). Then we have
|Pr [Succ4 ] − Pr [Succ3 ]| ≤ (5)
2l
Game G5 . In this game, we abort the game if the A can |Pr [AskH 8 ]| ≤ qh · AdvECGDH
P (t′ ) (16)
compute the correct Vi by asking the corresponding hash where t′ ≤ t + (qsend + qexe + 1) · Tm .
query. In the case where the AskP ara5 event does not occur, Firstly, from the Eqs.(1)-(5), we have
we cannot distinguish G4 and G5 . Then we have 2
(qsend + qexe ) qh2 2qsend
|Pr [Succ5 ] − Pr [Succ4 ]| ≤ Pr [AskP ara5 ] (6) |Pr [Succ4 ] − Pr [Succ0 ]| ≤ + l+1 +
2p 2 2l
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 12

Then, from Eqs.(6)-(12), we get 9.3 User Anonymity

|Pr [Succ7 ] − Pr [Succ4 ]| ≤ User anonymity [20] usually has two requirements aspects: 1)
Anonymity: The user identity cannot be known by communi-
Pr [AskP ara5 ] + Pr [AskAuth6 ] + Pr [AskH 7 ] cation entities other than GW N ; 2) Indistinguishability: The
adversary cannot distinguish whether the communication
Lastly, from Eqs.(13)-(16), we can get data between entities is sent by the same user. In our
proposed scheme, we do not directly transmit the user
Advake
P (A) = 2 Pr [Succ7 ] − 1 + 2 (Pr [Succ0 ] − Pr [Succ7 ]) identity in the public channel. Thus, the adversary cannot
s′ q 2 +6q 2 obtain the user identity. We set user’s temporary identity
≤ C ′ · qsend + 6qh AdvECGDH
P (t′ ) + h 2l send + (qsend +q
p
exe )
DIDi = IDi ⊕ H(X1 ||X2 ). Since the user has to choose
We prove that the advantage of the adversary is gradually a random number for every authentication, the DIDi is
decreasing to zero via a series of hybrid games. Thus, the different every time. Meanwhile, the adversary cannot obtain
adversary cannot break the semantic security of the protocol. the GW N ’s long-term secret key XGW N to compute X2 . The
We formally prove the security of our protocol. adversary can neither obtain the user identity nor distinguish
whether the message comes from the same user.
9 S ECURITY ANALYSIS OF OUR SCHEME 9.4 Gateway Spoofing Attack
Due to the limitations of formal methods [36], [57], many In our scheme, if the adversary wants to impersonate the
realistic attacks are difficult to capture. In this section, we gateway, she needs to compute Vi = H (IDi ∥Treg ∥ XGW N ).
use heuristic analysis to analyze our protocol. Due to the adversary cannot know the long-term secret key
XGW N of GW N , our scheme can resist this attack.
9.1 Offline Password Guessing Attack
Generally, the adversary can obtain all the information in 9.5 Replay Attack
the public channel. And she can also obtain the parameters To resist replay attacks, we use random numbers to ensure
stored in the smart card. We assume that the adversary uses the freshness of information. When the participants of this
the above information to offline guess the user’s IDi∗ and scheme receive a message, they will check whether the
P Wi∗ . To check the correctness of (IDi∗ , P Wi∗ ), the adversary random number is valid. Moreover, each time the protocol
could compute HP Wi∗ = H(P Wi ||b), A∗i = H(IDi∗ ||HP Wi∗ ) is executed, the number is randomly generated and not the
mod n0 and check whether A∗i = Ai . However, even if it same, so the attacker cannot launch replay attacks.
is equal, the adversary also cannot be sure that IDi∗ and
P Wi∗ are the same as the user’s IDi and P Wi . To resist 9.6 User impersonation Attack
offline password guessing attacks, we use fuzzy-verifier The first method for adversary is obtaining user’s IDi
technology. Specifically, A can find |DID · Dpw |/n0 pairs and P Wi . However, the adversary cannot use offline pass-
of (IDi , P Wi ) to make A∗i = Ai . Therefore, the adversary word guessing to get the correct IDi and P Wi . The other
can only launch an online attack to test whether they are method is that the adversary gets the message C2 =
correct. To prevent the adversary from unlimited online H(C1 ||DIDi ||X2 ||Vi ||SIDj ) and impersonates the user. Un-
testing, we use “honeywords” to detect this attack. Each fortunately, the value of C2 is related to Vi , which can
time the adversary fails, the HoneyList’s value will add be computed by Vi = Bi ⊕ H(H(P Wi∗ )||IDi∗ ) or Vi =
1 until the value of HoneyList exceeds the predetermined H(IDi ||Treg ||XGW N ). Since the adversary cannot get Vi , she
threshold (such as 10). Then the GW N suspends the use cannot launch the user impersonation attack in our scheme.
of the user’s smart card. Thus, we can resist this attack.
Besides, the adversary can also execute offline password 9.7 Forward Secrecy
guessing attacks with another method. She can compute When considering the forward secrecy of the scheme, we
Vi∗ = Bi ⊕ H(HP Wi∗ ||IDi∗ ) and verify Vi∗ by computing C2 assume that the adversary can obtain the long-term secret
or C7 . However, the adversary cannot obtain the GW N ’s key XGW N . If the adversary wants to obtain the session key,
long-term secret key XGW N , she cannot get X2 . In all, our she needs to get X4 from X1 , X3 . However, it is impossible
scheme can resist offline password guessing attacks. for the adversary to crack the elliptic curve encryption
algorithm, which is a hard problem in polynomial time.
9.2 Smart Card Loss Attack
Thus, our scheme can provide forward secrecy.
Generally, if the adversary attempts to impersonate the user
using the smart card, the password is required. However, 9.8 Sensor Node Capture Attack
the above analysis has demonstrated that our protocol The sensor nodes are deployed in an unsupervised environ-
effectively resists offline password guessing attacks by ment for a long time, and their security parameters can be
employing “fuzzy verifier” and“honeywords”. Even if the easily acquired by the adversary [7]. Therefore, to prevent
adversary possesses the smart card along with its stored the node capture attack of the adversary, in our protocol,
secret parameters, she cannot retrieve the password or GW N only sends the random number selected by the user
any other password-related information. Furthermore, the to the sensor node S. Even if the adversary captures the
adversary cannot use the parameters stored in the smart card sensor node and the random numbers of the user, it is also
to compute the session key or any other secret value. Thus, impossible to get the value of Vi or the session key. Therefore,
our proposed protocol can resist smart card loss attacks. our protocol can resist the sensor node capture attack.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 13

TABLE 4
Performance comparison among relevant schemes.
Computational cost (ms)∗ The evaluation criteria in Table 2 [6]
Related Protocols
User Gateway Sensor node S1 S2 S3 S4 S5 S6 S7 S8 S9 S10 S11 S12
√ √ √ √ √ √ √ √ √ √ √ √
Our scheme 2TP +9TH ≈1.022 TP +6TH ≈0.512 2TP +4TH ≈1.019 √ √ √ √
Xie et al. (2024) [40] TS +8TH ≈0.006 TS +6TH ≈0.005 TS +2TH ≈0.002 √ √× √ × × × √ × × √
√ ×
√ ×
Bai et al. (2023) [33] TE +6TH ≈1.173 TE +6TH ≈1.173 3TH ≈0.002 √ √ √ × × √ √ ×
× √ √ ×
√
Xu et al.(2023) [35] TB +7TH +5TP ≈1002.544 TP +4TH ≈0.511 6TP +6TH ≈3.052 √ √ √ × × √ × √ ×
Jabbari-Mohasef (2022) [26] TB + 10TS ≈1000.005 6TS + TH ≈0.004 7TS + T H≈0.005 √ √ √ × × √ × √ × √ √ × × ×
Raque et al. (2022) [38] TB + TS + 10TH ≈1000.007 4TS + 8TH ≈0.008 2TS + 4T H≈0.005 √ √ √ × × √ √ × √ √ ×
√ ×
Zhang et al. (2022) [34] TB + 2TS + 5TH ≈1000.005 6TS + 4TH ≈0.004 2TS + 2TH ≈0.003 √ √ √ × × √ × √ √ √ ×
Li et al. (2022) [58] TB + 11TH ≈1000.008 13TH ≈0.009 6TH ≈0.004 √ √ √ × × √ × √ √ ×
√ ×
Chaudhry et al. (2021) [25] TB + 16TH ≈1000.011 14TH ≈0.010 7TH ≈0.004 √ √ √ × × √ × √ × √ √ √ ×
Wazid et al. (2020) [27] TB + 13TH ≈1000.009 8TH ≈0.006 8TH ≈0.006 √ √ √ × × √ √ × √ ×
Li et al. (2020) [28] 10TH ≈0.007 9TH ≈0.006 7TH ≈0.005 √ √ √ √ × × √ √ √ × √ √ × ×
√ ×
Wang et al. (2020) [52] Tbe +Tse +9TH ≈9.514 Tbe +TS +6TH ≈9.357 Tse +TS +4TH ≈0.157 √ × √ √ √ √ ×
Xu et al. (2019) [29] 5TH +TB ≈1000.003 12TH ≈0.008 4TH ≈ 0.002 ×
√ √ √ × × × × √ × √ √ ×
Guo et al. (2019) [30] 6TH +TB ≈1000.004 16TH ≈0.011 6TH ≈0.004 √ √ √ × × √ × √ × ×
√ √ ×
√
Srinivas et al.(2018) [39] TB +2TC +15TH ≈1002.624 10TH ≈0.007 2TC +6TH ≈2.618 √ √ √ × × √ √ × √ √ ×
Wazid et al.(2018) [31] TB +2TS +13TH ≈1000.010 4TS +5TH ≈0.006 2TS +4TH ≈0.004 √ √ √ × × √ × √ √ × ×
Li et al.(2018) [59] TB +2TP +8TH ≈1001.022 TP +9TH ≈0.514 4TH ≈0.003 √ √ √ × √ × × √ √ × √ √ ×
√ ×
√
Li et al.(2018) [60] TB +3TP +7TH ≈1001.529 TP +7TH ≈0.513 2TP +4TH ≈1.019 √ √ √ √ × √ × √ √ √ √ √ √
Wang et al.(2017) [61] TB +3TP +10TH ≈ 1001.531 TP +11TH ≈0.516 2TP +4TH ≈1.019 ×
∗
TS , TH , TE , TP , TC , TB , Tbe , Tse denote the time of symmetric encryption/decryption, hash computation, modular exponentiation operation, scalar multiplication
on elliptic curve, Chebyshev polynomial operation, fuzzy extracting biometric info, big-exponent modular exponentiation of RSA, small-exponent modular exponentiation
of RSA. According to [36], TE ≈1.169 ms (when we set the length of modular |n| = 512), TP ≈0.508 ms, TH ≈0.693µs, TS ≈0.541µs. The Tbe ≈1.169*8=9.352 ms and
17
Tse ≈ 1024 ∗ Tbe =0.156 ms. And the TB ≈1000ms. [52].

9.9 Privilege Insider Attack 10 P ERFORMANCE A NALYSIS

For our scheme, the gateway does not store any parameters Wang et al.’s evaluation framework [6] is concrete, systematic
related to user passwords in memory. Even if insiders and comprehensive, and has been widely accepted (see [7],
obtain the parameters of the smart card, the parameters [45], [63]). The specific details of the evaluation criteria can
in the public channel, and the information stored in the be seen in Section 2.2. In this section, we will use it to
gateway, they cannot calculate the user’s password. Since compare and analyze our scheme with 18 state-of-the-art
we use “fuzzy-verifier” [16] to resist offline password related protocols in terms of security and performance. From
guessing attacks, adversaries cannot find a verifier to check the comparison results, only our protocol fully satisfies all 12
the password. Meanwhile, due to the use of public-key criteria. For the performance analysis, the primary focus is
technology, insiders also cannot obtain the session key. on the computational cost of each participant in the protocol.
Therefore, our scheme can resist insider attacks. The comparison results are presented in Table 4.
It is evident from the analysis that protocols employing
9.10 Parallel Attack symmetric encryption or hash functions [27]–[31], [33],
Parallel attack [62] means that the adversary uses the [34], [38], [40], [58] generally exhibit better performance
information obtained in one protocol progress to reply to compared to those based on public-key cryptography [35],
another protocol progress. Then the adversary can obtain [39], [60], [61]. However, without exception, these symmetric
the session key by cheating the gateway or others. In our encryption-based protocols fail to achieve forward security
protocol, we use different random numbers each time the and multi-factor security. This observation aligns with the
protocol is executed, so the information of each protocol is principle established by Ma et al. [24], which states that
different. Thus, in our scheme, the adversary cannot use the public-key cryptography is an essential component for
information in the public channel to launch parallel attacks. achieving forward security in MFA protocols.
It is worth emphasizing that in security-critical WSN envi-
9.11 De-synchronization Attack ronments, the security of authentication protocols should be
considered at least as important as, if not more important
Compared with other protocols, our protocol has no parame- than, their efficiency. Consequently, critical security prop-
ters that require participants to update simultaneously in the erties must not be compromised for the sake of improving
protocol process. If the user desires to update the password, efficiency. Among the protocols analyzed, only the scheme
she should authenticate her identity first. Meanwhile, we do proposed by Wang et al. [61] achieves a security level
not use clock synchronization in our scheme. Our scheme comparable to ours. The security of the remaining public-
can resist de-synchronization attacks. key-based protocols is weaker than that of our protocol.
Furthermore, our two-factor authentication protocol meets
9.12 Mutual Authentication the security goals of the three-factor authentication protocol
Our proposed protocol provides (1) mutual authentication proposed by Wang et al. [61]. Since our protocol does not
between the gateway and the user. The user and gateway employ the fuzzy extractor, it offers significantly higher
authenticate each other by computing C2 to check the value user-side efficiency compared to Wang et al.’s scheme [61]
of Vi . (2) mutual authentication between the sensor node and most other three-factor authentication schemes.
and gateway. The gateway and the sensor node authenticate Although our scheme is less efficient in sensor nodes than
each other by computing C4 , C6 to check the sensor node’s most existing protocols, it is the most efficient scheme among
secret key Pj = H(SIDj ||XGW N ). Obviously, our protocol those capable of resisting node capture attacks and achieving
can achieve mutual authentication with the help of gateway. forward secrecy. The comprehensive comparison result
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 14

demonstrates that our scheme outperforms its foremost [11] B. F. D. Santos, Y. Gu, S. Jarecki, and H. Krawczyk, “Asymmetric PAKE
counterparts and performs well in WSNs. with low computation and communication,” in Proc. EUROCRYPT
2022, pp. 127–156.
[12] Y. Gu, S. Jarecki, P. Kedzior, P. Nazarian, and J. Xu, “Threshold PAKE
11 C ONCLUSION with security against compromise of all servers,” in Proc. ASIACRYPT
2024, pp. 66–100.
In this work, we revisited two leading multi-factor authen- [13] Yahoo’s 2013 Email Hack Actually Compromised Three Billion Accounts,
tication protocols [25], [26] for WSNs, and pointed out that Oct. 2013, [Link]
accounts/.
neither of them can achieve the claimed security. Besides [14] F. Neil, List of Data Breaches and Cyber Attacks in 2023,
reporting security loopholes, we revealed the fundamental 2023, [Link]
causes of their protocol problems and proposed correspond- and-cyber-attacks-in-2023.
[15] D. Wang, Y. Zou, Z. Zhang, and K. Xiu, “Password guessing using
ing countermeasures to help protocol designers avoid mak- random forest,” in Proc. USENIX SEC 2023, pp. 965–982.
ing the same mistakes. By incorporating countermeasures [16] D. Wang and P. Wang, “Two birds with one stone: Two-factor
(e.g., public-key cryptography and fuzzy verifiers) into multi- authentication with security beyond conventional bound,” IEEE Trans.
factor authentication design, we proposed a new two-factor Dependable Secur. Comput., vol. 15, no. 4, pp. 708–722, 2018.
[17] M. L. Das, “Two-factor user authentication in wireless sensor
authentication protocol for WSNs and formally proved its networks,” IEEE Trans. Wirel. Commun., vol. 8, no. 3, pp. 1086–1090,
security. Meanwhile, we compared our protocol with 18 2009.
foremost counterparts, and the results show the superiority [18] R. Fan, D. He, X. Pan, and L. Ping, “An efficient and dos-resistant
user authentication scheme for two-tiered wireless sensor networks,”
of our protocol. We hope that this work will facilitate J. Zhejinag Univ. Sci. C, vol. 12, no. 7, pp. 550–560, 2011.
the protocol designers to have a better understanding of [19] D. He, Y. Gao, S. Chan, C. Chen, and J. Bu, “An enhanced two-factor
the essential problems and difficulties in protocol design. user authentication scheme in wireless sensor networks,” Ad Hoc Sens.
Wirel. Networks, vol. 10, no. 4, pp. 361–371, 2010.
Our protocol can not only be used for WSNs, but would
[20] D. Wang and P. Wang, “On the anonymity of two-factor authentication
also provide inspiration and solutions for authentication schemes for wireless sensor networks: Attacks, principle and solutions,”
protocols in other environments. Comput. Netw., vol. 73, no. C, pp. 41–57, 2014.
[21] A. Das, S. Sharma, [Link] Chatterjee, and J. Sing, “A dynamic password-
based user authentication scheme for hierarchical wireless sensor
networks,” J. Netw. Comput. Appl., vol. 35, no. 5, pp. 1646–1656, 2012.
ACKNOWLEDGMENT [22] C. T. Li, C. Y. Weng, and C. C. Lee, “An advanced temporal credential-
Ding Wang is the corresponding author. This research was based security scheme with mutual authentication and key agreement
for wireless sensor networks,” Sensors, vol. 13, no. 8, pp. 9589–9603,
supported by the National Natural Science Foundation of 2013.
China under Grant No. 62222208 and Grant No.62172240, [23] K. Xue, C. Ma, P. Hong, and R. Ding, “A temporal-credential-based
and by the Fundamental Research Funds for the Central mutual authentication and key agreement scheme for wireless sensor
networks,” J. Netw. Comput. Appl., vol. 36, no. 1, pp. 316–323, 2013.
Universities (Nankai University) under Grant No. 63253229.
[24] C. Ma, D. Wang, and S. Zhao, “Security flaws in two improved remote
user authentication schemes using smart cards,” Int. J. Commun. Syst.,
vol. 27, no. 10, pp. 2215–2227, 2012.
R EFERENCES [25] S. A. Chaudhry, A. Irshad, K. Yahya, N. Kumar, M. Alazab, and
Y. B. Zikria, “Rotating behind privacy: An improved lightweight
[1] F. Wang, J. Cui, Q. Zhang, D. He, and H. Zhong, “Blockchain-based authentication scheme for cloud-based IoT environment,” ACM Trans.
secure cross-domain data sharing for edge-assisted industrial internet Internet Technol., vol. 21, no. 3, pp. 1–19, 2021.
of things,” IEEE Trans. Inf. Forensics Secur., vol. 19, pp. 3892–3905, [26] A. Jabbari and J. B. Mohasef, “A secure and lorawan compatible user
2024. authentication protocol for critical applications in the iot environment,”
[2] B. Li, Y. Chen, L. Zhang, L. Wang, and Y. Cheng, “Homesentinel: IEEE Trans. Ind. Informatics, vol. 18, no. 1, pp. 56–65, 2022.
Intelligent anti-fingerprinting for iot traffic in smart homes,” IEEE
[27] M. Wazid, A. K. Das, V. B. K., and A. V. Vasilakos, “Lam-
Trans. Inf. Forensics Secur., vol. 19, pp. 4780–4793, 2024.
ciot: Lightweight authentication mechanism in cloud-based IoT
[3] Y. Wang, Z. Wang, J. A. Zhang, H. Zhang, and M. Xu, “Vital sign
environment,” J Netw. Comput. Appl., vol. 150, p. 102496, 2020.
monitoring in dynamic environment via mmwave radar and camera
[28] J. Li, Z. Su, D. Guo, K. K. R. Choo, and Y. Ji, “Psl-maaka: Provably-
fusion,” IEEE Trans. Mob. Comput., vol. 23, no. 5, pp. 4163–4180, 2024.
secure and lightweight mutual authentication and key agreement
[4] M. Wazid, A. K. Das, S. Shetty, and J. J. P. C. Rodrigues, “On the design
protocol for fully public channels in internet of medical things,” IEEE
of secure communication framework for blockchain-based internet of
Internet Things J., vol. 8, no. 17, pp. 13 183–13 195, 2021.
intelligent battlefield things environment,” in Proc. IEEE INFOCOM
2020, pp. 888–893. [29] L. Xu and F. Wu, “A lightweight authentication scheme for multi-
[5] M. Mamdouh, A. I. Awad, A. A. M. Khalaf, and H. F. A. gateway wireless sensor networks under IoT conception,” Arab. J. Sci.
Hamed, “Authentication and identity management of ioht devices: Eng, vol. 44, no. 4, pp. 3977–3993, 2019.
Achievements, challenges, and future directions,” Comput. Secur., vol. [30] H. Guo, Y. Gao, T. Xu, X. Zhang, and J. Ye, “A secure and efficient
111, p. 102491, 2021. three-factor multi-gateway authentication protocol for wireless sensor
[6] D. Wang, W. Li, and P. Wang, “Measuring two-factor authentication networks,” Ad Hoc Networks, vol. 95, p. 101965, 2019.
schemes for real-time data access in industrial wireless sensor [31] M. Wazid, A. K. Das, V. Odelu, N. Kumar, M. Conti, and M. Jo, “Design
networks,” IEEE Trans. Ind. Inform., vol. 14, no. 9, pp. 4081–4092, of secure user authenticated key management protocol for generic
2018. IoT networks,” IEEE Internet Things J., vol. 5, no. 1, pp. 269–282, 2018.
[7] C. Wang, D. Wang, Y. Tu, G. Xu, and H. Wang, “Understanding node [32] L. Zhu and D. Wang, “Robust multi-factor authentication for wsns
capture attacks in user authentication schemes for wireless sensor with dynamic password recovery,” IEEE Trans. Inf. Forensics Secur.,
networks,” IEEE Trans. Dependable Secur. Comput., vol. 19, no. 1, pp. vol. 19, pp. 8398 – 8413, 2024.
507–523, 2022. [33] L. Bai, C. Hsu, L. Harn, J. Cui, and Z. Zhao, “A practical lightweight
[8] J. Bonneau, C. Herley, P. C. van Oorschot, and F. Stajano, “The quest anonymous authentication and key establishment scheme for resource-
to replace passwords: A framework for comparative evaluation of asymmetric smart environments,” IEEE Trans. Dependable Secur.
web authentication schemes,” in Proc. IEEE S&P 2012, pp. 553–567. Comput., vol. 20, no. 4, pp. 3535–3545, 2023.
[9] Lily Hay Newman, The Password Isn’t Dead Yet. You Need [34] L. Zhang, Y. Zhu, W. Ren, Y. Zhang, and K. R. Choo, “Privacy-
a Hardware Key, Dec. 2022, [Link] preserving fast three-factor authentication and key agreement for
hardware-security-key-passwords-passkeys/. iot-based e-health systems,” IEEE Trans. Serv. Comput., vol. 16, no. 2,
[10] S. Jarecki, H. Krawczyk, and J. Xu, “OPAQUE: An asymmetric pp. 1324–1333, 2023.
PAKE protocol secure against pre-computation attacks,” in Proc. [35] H. Xu, C. Hsu, L. Harn, J. Cui, Z. Zhao, and Z. Zhang, “Three-
EUROCRYPT 2018, pp. 456–486. factor anonymous authentication and key agreement based on fuzzy
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.
 This article has been accepted for publication in IEEE Transactions on Dependable and Secure Computing. This is the author's version which has not been fully edited and
content may change prior to final publication. Citation information: DOI 10.1109/TDSC.2025.3563552 15

biological extraction for industrial internet of things,” IEEE Trans. Serv. [59] X. Li, J. Niu, S. Kumari, F. Wu, A. K. Sangaiah, and K. K. R. Choo,
Comput., vol. 16, no. 4, pp. 3000–3013, 2023. “A three-factor anonymous authentication scheme for wireless sensor
[36] D. Wang, D. He, P. Wang, and C. Chu, “Anonymous two-factor networks in internet of things environments,” J. Netw. Comput. Appl.,
authentication in distributed systems: Certain goals are beyond vol. 103, pp. 194–204, 2018.
attainment,” IEEE Trans. Dependable Secur. Comput., vol. 12, no. 4, [60] X. Li, J. Niu, M. Z. A. Bhuiyan, F. Wu, M. Karuppiah, and S. Kumari,
pp. 428–442, 2015. “A robust ecc based provable secure authentication protocol with
[37] X. Huang, Y. Xiang, A. Chonka, J. Zhou, and R. H. Deng, “A generic privacy protection for industrial internet of things,” IEEE Trans. Ind.
framework for three-factor authentication: Preserving security and Inform., vol. 14, no. 8, pp. 3599–3609, 2018.
privacy in distributed systems,” IEEE Trans. Parall. Distrib. Syst., vol. 22, [61] C. Wang, G. Xu, and J. Sun, “An enhanced three-factor user
no. 8, pp. 1390–1397, 2011. authentication scheme using elliptic curve cryptosystem for wireless
[38] F. Rafique, M. S. Obaidat, K. Mahmood, M. F. Ayub, J. Ferzund, sensor networks,” Sensors, vol. 17, no. 12, pp. 2946:1–20, 2017.
and S. A. Chaudhry, “An efficient and provably secure certificateless [62] F. Hao, R. Metere, S. F. Shahandashti, and C. Dong, “Analysing and
protocol for industrial internet of things,” IEEE Trans. Ind. Informatics, patching SPEKE in ISO/IEC,” IEEE Trans. Inf. Forensics Secur., vol. 13,
vol. 18, no. 11, pp. 8039–8046, 2022. no. 11, pp. 2844–2855, 2018.
[39] J. Srinivas, A. K. Das, M. Wazid, and N. Kumar, “Anonymous [63] S. Qiu, D. Wang, G. Xu, and S. Kumari, “Practical and provably secure
lightweight chaotic map-based authenticated key agreement protocol three-factor authentication protocol based on extended chaotic-maps
for industrial internet of things,” IEEE Trans. Dependable Secur. Comput., for mobile lightweight devices,” IEEE Trans. Dependable Secur. Comput.,
vol. 17, no. 6, pp. 1133–1146, 2020. vol. 19, no. 2, pp. 1338–1351, 2022.
[40] D. Xie, J. Yang, B. Wu, W. Bian, F. Chen, and T. Wang, “An effectively
applicable to resource constrained devices and semi-trusted servers
authenticated key agreement scheme,” IEEE Trans. Inf. Forensics Secur., Meijia Xu received the M.S. degree in the
vol. 19, pp. 3451–3464, 2024. College of Cryptology and Cyber Science,
[41] Q. Wang and D. Wang, “Understanding failures in security proofs
of multi-factor authentication for mobile devices,” IEEE Trans. Inf.
Nankai University, Tianjin, P. R. China, in Jun.
Forensics Secur., vol. 18, pp. 597–612, 2023. 2020. She is currently working toward the
[42] K. Hussain, N. Z. Jhanjhi, H. Mati-ur-Rahman, J. Hussain, and M. H. Ph.D. degree from the College of Cryptology
Islam, “Using a systematic framework to critically analyze proposed
smart card based two factor authentication schemes,” J. King Saud
and Cyber Science, Nankai University, Tianjin,
Univ. Comput. Inf. Sci., vol. 33, no. 4, pp. 417–425, 2021. P. R. China. She has published papers at venues like JSA and
[43] H. Xiong, Z. Kang, J. Chen, J. Tao, C. Yuan, and S. Kumari, “A WCMC. Her research interests include applied cryptography
novel multiserver authentication scheme using proxy resignature with and password-based authentication.
scalability and strong user anonymity,” IEEE Syst. J., vol. 15, no. 2,
pp. 2156–2167, 2021. Ding Wang received his Ph.D. degree in Infor-
[44] V. Sureshkumar, S. Anandhi, R. Amin, N. Selvarajan, and
R. Madhumathi, “Design of robust mutual authentication and
mation Security at Peking University in 2017,
key establishment security protocol for cloud-enabled smart grid and was supported by the “Boya Postdoctoral
communication,” IEEE Syst. J., vol. 15, no. 3, pp. 3565–3572, 2021. Fellowship” in Peking University from 2017
[45] P. Gope, A. K. Das, N. Kumar, and Y. Cheng, “Lightweight and
physically secure anonymous mutual authentication protocol for real-
to 2019. Currently, he is a Full Professor at
time data access in industrial wireless sensor networks,” IEEE Trans. Nankai University. As the first author (or
Ind. Informatics, vol. 15, no. 9, pp. 4957–4968, 2019. corresponding author), he has published more than 100
[46] E. Erdem and M. T. Sandikkaya, “Otpaas-one time password as a
service,” IEEE Trans. Inf. Forensics Secur., vol. 14, no. 3, pp. 743–756,
papers at venues like IEEE S&P, ACM CCS, NDSS, Usenix
2019. Security, IEEE TDSC and IEEE TIFS. His research has been
[47] D. Wang, H. Cheng, P. Wang, X. Huang, and G. Jian, “Zipf’s law reported by over 200 media like The Wall Street Journal,
in passwords,” IEEE Trans. Inf. Forensics Secur., vol. 12, no. 11, pp. Daily Mail, Forbes, IEEE Spectrum, and Communications of
2776–2791, 2017.
[48] D. Dolev and A. C. Yao, “On the security of public key protocols,” the ACM, appeared in the Elsevier 2017 “Article Selection
IEEE Trans. Inf. Theory, vol. 29, no. 2, pp. 198–207, 1983. Celebrating Computer Science Research in China”, and
[49] X. Huang, X. Chen, J. Li, Y. Xiang, and L. Xu, “Further observations resulted in the revision of the authentication guideline NIST
on smart-card-based password-authenticated key agreement in
distributed systems,” IEEE Trans. Parall. Distrib. Syst., vol. 25, no. 7, SP800-63-2. He has been involved in the community as a PC
pp. 1767–1775, 2014. Chair/TPC member for over 60 international conferences
[50] M. Carbone, V. Conin, M. Cornelie, F. Dassance, G. Dufresne, such as NDSS 2023-2025, ACM CCS 2022, PETS 2022-
C. Dumas, E. Prouff, and A. Venelli, “Deep learning to evaluate
secure RSA implementations,” IACR Trans. Cryptogr. Hardw. Embed. 2024, ACSAC 2020-2024, RAID 2024/2023, IEEE EuroS&P
Syst., vol. 2019, no. 2, pp. 132–161, 2019. 2025, FC 2025, ACM AsiaCCS 2025/2022/2021, ICICS 2018-
[51] S. Halevi and H. Krawczyk, “Public-key cryptography and password 2025, SPNCE 2020-2022. He has received the “ACM China
protocols,” ACM Trans. Inf. Syst. Secur., vol. 2, no. 3, pp. 230–268, 1999.
[52] D. Wang, P. Wang, and C. Wang, “Efficient multi-factor user
Outstanding Doctoral Dissertation Award”, the Best Paper
authentication protocol with forward secrecy for real-time data access Award at INSCRYPT 2018, the First Prize of Cryptologic
in WSNs,” ACM Trans. Cyber Phys. Syst., vol. 4, no. 3, pp. 30:1–30:26, Innovation Award of the China Association for Cryptologic
2020.
[53] H. Luo, G. Wen, and J. Su, “Lightweight three factor scheme for real-
Research, and the First Prize of Natural Science Award of
time data access in wireless sensor networks,” Wirel. Networks, vol. 26, Ministry of Education. His main research interests focus on
no. 2, pp. 955–970, 2020. passwords, authentication, and provable security.
[54] P. Gope, T. Hwang et al., “A realistic lightweight anonymous
authentication protocol for securing real-time application data access
in wireless sensor networks.” IEEE Trans. Ind. Electr., vol. 63, no. 11,
pp. 7124–7132, 2016.
[55] D. Wang, H. Cheng, P. Wang, J. Yan, and X. Huang, “A security
analysis of honeywords,” in Proc. NDSS 2018, pp. 1–16.
[56] K. Suzuki, D. Tonien, K. Kurosawa, and K. Toyota, “Birthday paradox
for multi-collisions,” in Proc. ICISC 2006, pp. 29–40.
[57] A. Menezes, “Another look at provable security,” in EUROCRYPT, ser.
Lecture Notes in Computer Science, vol. 7237. Springer, 2012, p. 8.
[58] Y. Li and Y. Tian, “A lightweight and secure three-factor authentication
protocol with adaptive privacy-preserving property for wireless sensor
networks,” IEEE Syst. J., vol. 16, no. 4, pp. 6197–6208, 2022.
Authorized licensed use limited to: ANNA UNIVERSITY. Downloaded on July 24,2025 at [Link] UTC from IEEE Xplore. Restrictions apply.
© 2025 IEEE. All rights reserved, including rights for text and data mining and training of artificial intelligence and similar technologies. Personal use is permitted,
but republication/redistribution requires IEEE permission. See [Link] for more information.