An enhanced user authentication scheme for multi-server Internet services

In 2001, Tsaur proposed a smart card based password authentication scheme for multi-server Internet environments. It is the first scheme for password authentication in multi-server environments. Tsaur's scheme can verify a single password for logging in multiple authorized servers without using any password verification table at all, and emphasizes that any client can get service granted from multiple servers without repeating registration to every single server. One year later in 2002, Kim et al. pointed out that Tsaur's scheme cannot be secure against the off-line guessing attack. Nevertheless, Kim et al. did not propose any modification method. In this paper, we will show another weakness in Tsaur's scheme, and further give an improvement such that the above two weaknesses can be withstood accurately.