A privacy preserving biometric-based three-factor remote user authenticated key agreement scheme

Advancement in Internet of Things (IOT) and remote user communication is facilitated, where a user need not be physically present. However, security and privacy challenges arrive as client-server communication is done via public network. To lower down the security and privacy threats, authentication and key agreement (AKA) protocols are being designed and analyzed. AKA protocols' goal is to ensure authorized and secure access of recourses. Recently, Li et al. proposed a biometric based three-factor remote user authentication scheme for client-server environment. Their scheme uses biometric identifier to resist guessing attacks. In this article, we discussed the security of Li et al.'s scheme, and show its vulnerability to known session specific temporary information attack. Additionally, it does not provide three-factor authentication and user's privacy. It also has some flows in authentication phase. We proposed a novel AKA protocol, which can overcome the weaknesses of Li et al.'s scheme without losing its original merits. Through the analysis, we show that our scheme is secure against various known attacks including the attacks found in Li et al.'s scheme. Furthermore, we demonstrate the validity of the proposed scheme using the BAN (Burrows, Abadi, and Needham) logic. Our scheme is also comparable in terms of computation overheads with Li et al.'s scheme and other related schemes.