Cryptanalysis and improvement of a biometric-based remote user authentication protocol usable in a multiserver environment

Recently, Amin and Biswas have discussed a bilinear pairing-based three-factor remote user authentication protocol, claiming it to be secured against various attacks. We scrutinize this protocol and find that it is vulnerable to identity guessing attack, password guessing attack, user untraceability attack, user-server impersonation attack, new smart card issue attack, and privileged insider attack. In this paper, we propose an elliptic curve cryptography and biometric-based remote user authentication protocol for a multiserver environment by overcoming these drawbacks. We conduct its informal and formal security analysis to show that it resists all known security attacks. The Burrows-Abadi-Needham (BAN) logic verifies that our protocol facilitates mutual authentication and session key agreement securely. We simulate it using the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to certify that it can be protected from passive and active threats, including replay and man-in-the-middle attacks. Furthermore, the proposed protocol provides more security attributes and better complexity in terms of smart card storage cost, computation cost, estimated time, and communication cost, as compared with the related existing protocols.