A Robust and Flexible Biometrics Remote User Authentication Scheme

Biometric-based authentication systems are widely deployed for person identification. Recently, an improved scheme for flexible biometrics remote user authentication was proposed by Khan and Zhang. In this paper, we demonstrate that Khan-Zhang’s scheme is still vulnerable to the following two attacks: (1) It is insecure to parallel session attack in which an adversary without knowing a legal user’s password and biometrics information can masquerade as the legal user by somehow crafting a valid login message from eavesdropped communications between the user and the remote system; (2) It is insecure to privileged insider’s attack since a legal user’s password can be easily revealed to the insider attacker of the remote system. Moreover, we figure out how to eliminate the security vulnerabilities of Khan-Zhang’s scheme. Compared with Khan-Zhang’s scheme, the proposed scheme is more efficient and holds stronger security.