Revisiting Anonymous Two-Factor Authentication Schemes for Cloud Computing

• Published in: Cloud Computing and Security Vol. 11064; pp. 134 - 146
• Main Authors: Shen, Yaosheng, Wang, Ding, Wang, Ping
• Format: Book Chapter
• Language: English
• Published: Switzerland Springer International Publishing AG 2018; Springer International Publishing
• Series: Lecture Notes in Computer Science
• Subjects: Cloud computing; Offline password guessing attack; Two-factor authentication; User untraceability
• ISBN: 3030000087; 9783030000080
• ISSN: 0302-9743; 1611-3349
• DOI: 10.1007/978-3-030-00009-7_13

Investigating the security pitfalls of cryptographic protocols is crucial to understanding how to improve security. At ICCCS’17, Wu and Xu proposed an efficient smart-card-based password authentication scheme to cope with the vulnerabilities in Jiang et al.’s scheme. However, in this paper, we reveal that Wu-Xu’s scheme actually is subject to critical security defects, such as offline password guessing attack and replay attack. Besides security, user friendly is also another great concern. In 2017, Roy et al. found that in most previous two-factor schemes a user has to manage different credentials for different services, and further suggested a user-friendly scheme which is claimed to be suitable for multi-server architecture and robust against various attacks. In this work, we show that Roy et al.’s scheme cannot achieve truly two-factor security and is of poor scalability. Our results invalidate any use of the scrutinized schemes for cloud computing environments.