Offline Password Guessing Attacks on Smart-Card-Based Remote User Authentication Schemes

Password as an easy-to-remember credential plays an important role in remote user authentication schemes, while drawing from a space so small that an adversary may exhaustively search all possible candidate passwords to guess the correct one. In order to enhance the security of the password authentication scheme, smart card is introduced as the second factor to construct two-factor authentication scheme. However, we find out that two latest smart-card-based password authentication schemes are vulnerable to offline password guessing attacks under the definition of secure two-factor authentication. Furthermore, in order to show the serious consequence of offline password guessing attacks, we illustrate that the password compromise impersonation attacks as further threats are effective to break down the authentication schemes. Finally, we conclude the reasons why these weaknesses exist and present our improved ideas to avoid these problems in the future.