A Robust and Effective Two-Factor Authentication (2FA) Protocol Based on ECC for Mobile Computing

Abstract

The rapid development of mobile computing (e.g., mobile health, mobile payments, and smart homes) has brought great convenience to our lives. It is well-known that the security and privacy of user information from these applications and services is critical. Without the prevention provided by an authentication mechanism, safety vulnerabilities may accumulate, such as illegal intrusion access resulting in data leakage and fraudulent abuse. Luckily, the two-factor authentication (2FA) protocols can secure access and communication for mobile computing. As we understand it, existing 2FA authentication protocols weaken security in the pursuit of high efficiency. How efficiency can be achieved while preserving the protocol’s security remains a challenge. In this study, we designed a robust and effective 2FA protocol based on elliptic curve cryptography (ECC) for authentication of users and service providers. We proved the robustness (respectively, the effectiveness) of the presented protocol with the heuristic analysis and security verification provided by the ProVerif tool (respectively, with a performance comparison based on six schemes). Performance comparisons in terms of message rounds, communication, and computation overheads showed that our scheme was superior to the exiting schemes or comparable as a whole; i.e., only two rounds, 1376 bits, and 1.818 ms were required in our scheme, respectively. The evaluation results showed that the proposed 2FA protocol provides a better balance between security and availability compared to state-of-the-art protocols.

1. Introduction

With the rapid development of mobile application services using mobile computing, a variety of mobile applications (e.g., e-mail, social networks, online shopping, playing videos, and mobile games) are becoming more and more practical, which not only enhances people’s ways of life but also brings them more convenience [1]. It is worth mentioning that data security and privacy in these services are vulnerable to various threats. The Check Point researchers declared in an analysis report that about 100 million users’ private data were leaked due to illegal intrusion from multiple Android applications, which included real-time databases, push notifications, and cloud key storage, and these leaked data may become “fat meat” in the eyes of malicious actors [2,3]. Attention must be given to security and privacy issues as soon as possible.

The two-factor authentication mechanism (i.e., password + smart card) can achieve user identity verification and session key agreement through protocol interaction. Legal users can access data securely via the session key, thus effectively protecting data security and privacy. However, existing two-factor authentication (2FA) protocols have a fly in the ointment. Given that mobile devices may have constrained resources, many 2FA protocols sacrifice security for higher efficiency and availability.

From the perspective of security, the issue is that the network communication entities in 2FA are subject to diverse attacks, such as impersonation attacks and privileged insider attacks. The schemes in [4,5] do not apply advanced technical means, such as multi-factor authentication and the technology of custom dictionaries, and cannot resist key-compromised user impersonation attacks and password-guessing attacks [6,7,8].

From the perspective of efficiency, to enhance computational efficiency and diminish the communication overhead, earlier researchers tried to design a practical authentication and key agreement (AKA) protocol by using the hash function and symmetric cryptography (e.g., [9,10,11]). Gope et al. [9] put forward a lightweight privacy-preserving authentication protocol in which the server does not need to carry out any time-consuming search operations to identify the tag. In addition, it does not need to store a secret key in the tag device. Yang et al. [10] proposed an efficient, perfect forward secrecy-enabled AKA protocol on the basis of a lightweight hash function and XOR operation. Das et al. [11] developed a remote user authentication protocol based on dynamic ID that allows the user to select and update their passwords randomly and does not maintain a verifier table. Nevertheless, it was found that the scheme in [12] could not provide forward secrecy to secure the session key.

Public-key cryptography technology can be used to enhance the security of the AKA protocol [12]. These public-key cryptography technologies (such as ECC [13], RSA [14], and bilinear pairings [15]) are becoming widely used in the design of AKA protocols [7,16,17], making it possible to enhance the safety of the session key and preserve user’s anonymity, etc. However, given the authentication performance, using a large number of public-key cryptography techniques throughout the process often leads to greater communication/storage consumption costs and lacks practicality. Accordingly, designing a 2FA protocol that balances security and availability is a challenge.

1.1. Related Work

Since the first 2FA protocol [18] was presented in 1981, hundreds of research studies on 2FA protocols for mobile computing have been undertaken, such as on client–server (C/S) architecture [16,17,19,20] and multi-server environments [21].

On the one hand, for the design of the technical protocol, Durlanik et al. [16] proposed a 2FA protocol implementing a public key exchange mechanism with ECC for the session initiation protocol (SIP). They stated that the memory requirements and total execution times of the proposed protocol were greatly improved compared to non-elliptic approaches. For multi-server environments, Chatterjee et al. [21] introduced a modified authentication protocol employing symmetric key encryption–decryption, the hash function, and a Chebyshev chaotic map and proved that the user can only use a single identity and password to manage authentication for different servers.

On the other hand, to enhance the security of the 2FA protocol, Wang [22] provided a design philosophy, a corresponding solution, and a stronger attack model for 2FA protocols. Later, Wang et al. [19] investigated the difficulty of designing identity-based privacy protection 2FA protocols. To enable trusted users (such as doctors or clinicians) to access sensor data from patients using wireless body area networks in the healthcare IoT, Fotouhi et al. [20] designed a lightweight 2FA protocol. Additionally, security proof results showed that the presented protocol offered forward secrecy and could resist common attacks, including privileged insider attacks.

Furthermore, on the basis of cloud services, Vivekanandan et al. [23] proposed a three-factor mobile user authentication protocol for distributed multimedia in 2020. They stated that their protocol provides extra characteristics, such as user choice-based service provider registration, initial user identity registration, and user revocation. Although the protocol [23] can resist various known attacks, it has low authentication efficiency due to the high computational overhead.

To effectively achieve remote communication between users of specific medical services and service providers, Hsu et al. [24] designed a three-factor, user-controlled, single-sign-on scheme with privacy protection and fast authentication. The results of the performance comparison indicated that their scheme had more security attributes and the lowest cost. However, unlike other schemes that store credentials on the server side, this scheme stores large quantities of user credentials on the client side, which results in low communication efficiency.

For end-to-end communication in 5G-enabled narrow-band IoT networks, Hsu et al. [25] proposed a privacy-preserving authenticated key exchange protocol for a multi-server architecture that allows mobile users to log on to multiple servers with an easy-to-remember password and then compute a session key. Although they used elliptic curve cryptography with a small key size to improve communication efficiency, the protocol bears the risk of the session key being easily obtained by adversaries.

In 2021, in order to resist offline dictionary guessing attacks and continuous leakage of secrets from identity servers, Zhang et al. [26] put forward a password-based threshold single-sign-on authentication protocol for mobile users. In addition, they designed a hybrid mechanism and mixed it with the proposed protocol to effectively thwart online dictionary guessing attacks. However, their solutions are not satisfactory in terms of performance and are not suitable for large-scale applications.

For distributed mobile cloud environments, Vivekanandan et al. [27] put forward a privacy protection user authentication protocol using blockchain technology. By means of security analysis methods (e.g., BAN logic, informal analysis, the scyther tool, and the Automated Validation of Internet Security Protocols and Applications (AVISPA) tool), they examined the proposed protocol in relation to various common attacks and found that the proposed protocol could resist all known attacks. Similarly to [26], Sastry and Reddy’s scheme also has the problem that its low performance is not conducive to enhancing the authentication phase efficiently.

To preserve user privacy in the IoT healthcare system, Lin et al. [28] designed a smart card-based authentication protocol with a multi-server architecture. However, we found that no timestamp was used, and so the proposed protocol could not resist denial of service (DoS) attacks. On the basis of extended chaotic maps, Meshram et al. [29] presented a 2FA protocol where a new value $S{B}_i$ is stored in the server during the authentication procedure. However, this protocol cannot resist desynchronization attacks. Despite the fact that user anonymity can be ensured with the protocols from [28,29], they cannot offer user un-traceability, since the messages in the proposed protocol contain various continual values with which attackers can guess the identities of users easily. Additionally, as the users’ private credentials are stored directly in the card without being shielded, Lin et al.’s scheme [28] is vulnerable to stolen smart card attacks.

In 2022, in order to lessen the operation costs and hardware overhead caused by card readers, Meher and Amin [30] designed a multi-factor authentication protocol that does not use smart cards and which is user-friendly and robust. Moreover, the proposed protocol addressed the problem of smart card loss/theft. The authors analyzed their authentication protocol in its response to several security threats, and the results showed that their scheme was safe.

For the multiple service providers in a 6G-assisted intelligent medical environment, Le et al. [31] proposed a three-factor (i.e., smart card, password, and biometrics) authentication protocol with time-limited characteristics. In their scheme, service providers and patients can establish healthcare communications effectively and securely. However, user credentials are stored on the server side, which has potential risks. Moreover, the protocol is vulnerable to password-guessing attacks.

Considering the security threats from physical attacks, physically unclonable functions (PUFs) that can resist physical attacks are widely used to design robust authentication protocols [32,33]. These two research works both claimed that the proposed schemes could resist physical attacks, such as cloning attacks and physical tampering attacks.

1.2. Motivations and Contribution

In practical terms, a 2FA protocol (password + smart card as the two authentication factors) is supposed to offer comprehensive security and various desired characteristics.

Table 1. Goals with related descriptions.

Goal	Description
Anonymity and un-traceability	Identity protection and user un-traceability
Resistance against password-guessing attacks	The attacker cannot grasp the user’s password
Session key security	The attacker cannot compute or steal the session key negotiated between the user and service provider [34]
Resistance against impersonation attacks	Server impersonation attacks and key-compromise user impersonation attacks

shows the four essential security goals [34] that a 2FA protocol must meet.

However, current state-of-the-art 2FA protocols do not meet at least one of the four presented security goals. For instance, according to the acknowledged criteria and heuristic analysis of this paper, the protocol in [35] cannot offer user un-traceability, the protocols in [36,37] cannot resist password-guessing attacks or provide session-key security, and the protocol in [38] is vulnerable to counterfeiting attacks. Similarly, using a heuristic analysis with detailed attack steps, Shin et al. [39] found that the static key and the client’s password in the protocols in [40,41] can be obtained by any attacker. To enhance security and maintain high efficiency, we developed a robust 2FA protocol for mobile computing. The key contributions of this paper are as follows:

1.

Design of a 2FA protocol for mobile computing

The “Fuzzy-Verifiers” [42] and “Honeywords” [42] techniques, which can be used to construct a fuzzy password verifier and effectively resist password-guessing attacks, were applied in our protocol. Further, based on the hash function and ECC, we designed a 2FA protocol that supports user registration, mutual authentication, and user password updating.

2.

The semantic security of the 2FA protocol

The semantic security of the session key was proved with a security proof in our protocol. Additionally, through heuristic analysis, we demonstrated that the proposed protocol meets the ten security evaluation criteria. Furthermore, our protocol’s entity authentication, message confidentiality, and session key security were confirmed using the ProVerif [43] tool.

3.

Performance analysis of the 2FA protocol

A comparative analysis of the functionality, communication, and computation cost of the proposed protocol was conducted with six common related protocols; i.e., those of Roy et al. [37] (IEEE IoTJ’18), Islam et al. [5] (IEEE IoTJ’18), and so on. A better balance between security and availability was achieved in the proposed protocol according to the comparison results.

2. Preliminaries

In this section, some indispensable preliminaries are presented to facilitate an easy understanding of the following sections.

2.1. System Model

As shown in Figure 1, the system model for the 2FA protocol consists of two entities: the user and the service provider. Note that the blue line corresponds to the registration phase and the green line to the mutual authentication phase. In the registration phase, the secret key value and the long-term key are generated by the service provider. When a user registers with the service provider, the registration request is sent to the service provider by the user, and then the service provider creates a smart card, which is sent to the user to enable them to complete the registration operation.

Following the mutual authentication phase, a user with a smart card sends a login request to the service provider, and the service provider then verifies this user according to the received login request. After that, the service provider computes a session key and then conveys the relevant message to the user. Lastly, when receiving the message from the service provider, the user authenticates the identity of the service provider and re-computes the session key.

2.2. Notations

To facilitate understanding among researchers, some notations used in the 2FA protocol are explained in

Table 2. Notations with related descriptions.

Notation	Description	Notation	Description
$U_i$	User	$x$	Long-term key for $S_j$
$S_j$	Service provider	$\mathcal{A}$	Malicious adversary
$I{D}_i$	Unique identity of $U_i$	$\parallel$	String concatenation operation
$P{W}_i$	Password chosen by $U_i$	$⨁$	Bitwise XOR operation
$b$	Random numbers for $S_j$	$H\left(\cdot \right)$	One-way hash function
$a$	Random numbers for $U_i$	$SK$	Session key shared between $U_i$ and $S_j$

.

2.3. Adversary Model

In the existing adversary models presented in [42,44,45,46,47,48,49,50,51,52], the communication channel between the communicating parties can be controlled by the adversary, who can initiate malicious operations, such as intercepting, eavesdropping on, and modifying transport messages. In terms of the forward secrecy, $\mathcal{A}$ can also be admitted and corrupt valid parties to obtain long-term keys. In addition, for various reasons (e.g., improper erasure), $\mathcal{A}$ may attain a previous session key. The capabilities of the adversary in 2FA protocols are described below:

• By means of power analysis or other side-channel techniques, the parameters preserved in the smart card of the user can be obtained by the adversary $\mathcal{A}$;
• $\mathcal{A}$ can intercept, eavesdrop on, and modify transmitted messages in the public channel;
• $\mathcal{A}$ can enumerate all pairs $\left(P{W}_i,I{D}_i\right)$ in $\left({\mathcal{D}}_{PW},{\mathcal{D}}_{ID}\right)$ in polynomial time, where ${\mathcal{D}}_{ID}$ and ${\mathcal{D}}_{PW}$ represent the spaces of the identifier and password, respectively;
• $\mathcal{A}$ can also register as a legal user in cases in which anyone can register;
• $\mathcal{A}$ may be able to obtain previous session keys (e.g., through digital forensic techniques [42]) due to unsuitable erasure;
• When evaluating the forward secrecy, $\mathcal{A}$ is assumed to have obtained the long-term private key of the service provider.

3. Proposed Protocol

To meet the security requirements for a 2FA protocol for mobile users and service providers, we employed the following five core approaches in the proposed protocol:

• The user only sends $I{D}_i$ to the service provider and the protocol uses fuzzy verification technology to design password login verifiers in the registration phase to resist attacks from privileged insiders;
• To resist password-guessing attacks where the adversary leverages the verifier to guess the password, we used the “Fuzzy-Verifiers” and “Honeywords” technologies [42] to set the verifiers of the password $P{W}_i$; i.e., $A_i=H\left(I{D}_i\parallel P{W}_i\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0,RP{W}_i=H\left(I{D}_i\parallel P{W}_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$;
• In terms of guaranteeing efficiency and forward secrecy [53], we applied lightweight ECC to ensure the 2FA protocol’s efficiency and, in addition to the long-term key, we added a secret value that cannot be obtained by the adversary in the calculation of the session key to ensure forward secrecy;
• To resist key-compromise impersonation attacks, we included a secret parameter $r_i$ that can be stored with the service provider securely (e.g., stored in an auxiliary server, as with [17]). Consequently, $\mathcal{A}$ is unable to acquire the value of $V_i$ with $r_i$ to forge the login request message $M_1$;
• To ensure the user’s un-traceability, a dynamic $M_2$ computed with the dynamic parameters $K_2 \mathrm{a}\mathrm{n}\mathrm{d} V_i$ prohibits the adversary from tracing the unchanged identity of the user.

Next, this paper describes the 2FA protocol in detail, including the system setup phase, the registration phase, the following login and authentication phase, and, lastly, the password update phase.

3.1. System Setup Phase

The service provider $S_j$ independently chooses a number $x ϵ Z_p^{\ast }$, which is a one-way hash function $H\left(\cdot \right)$. Then, $S_j$ calculates $X=x\cdot P$ ($P$ is a generator of the abelian group $G$ in the elliptic curve), publicizes the parameter $H\left(\cdot \right),X$, and reserves a long, private, secret key $x$.

3.2. Registration Phase

To obtain authentication from $S_j,$ $U_i$ needs to carry out the following registration steps (R. 1–3) and complete the registration in the terminal of $S_j$:

R. 1 The user $U_i$ chooses an $I{D}_i$ and, using the secure channel, $U_i$ transmits it to the service provider $S_j$;

R. 2 Upon receiving $\left\{I{D}_i\right\}$, $S_j$ picks a random number $r_iϵZ_p^{\ast }$ and computes $V_i=H\left(I{D}_i\parallel x\parallel r_i\right)$. $S_j$ stores $\left\{I{D}_i,r_i,Sum=0\right\}$ in its database, where the parameter $Sum$ represents the number of login failures allowed for the user, and the smart card is revoked once the user fails more than $Sum$ times. Finally, $S_j$ adds $\left\{X,P,V_i\right\}$ to a fresh smart card $S{C}_i$ and, using the secure channel, transmits $S{C}_i$ to $U_i$;

R. 3 When the user $U_i$ obtains the smart card $S{C}_i$ from $S_j$, $S{C}_i$ selects $a_i ϵZ_p^{\ast }$ and randomly generates a number $2^4\le n_0\le 2^8$. Then, $S{C}_i$ calculates the following parameters: $RP{W}_i=H\left(I{D}_i\parallel P{W}_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0,B_i=H\left(RP{W}_i\parallel a_i\right)⨁V_i,A_i=H\left(I{D}_i\parallel P{W}_i\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$. Finally, $S{C}_i$ contains the parameters $\left\{a_i,A_i,B_i,X,P,n_0\right\}$.

The operations are also summarized in

Table 3. User registration phase.

User (${\mathit{U}}_{\mathit{i}}$)	Secure Channel	Service Provider (${\mathit{S}}_{\mathit{j}}$)
Registration Phase:
Choose $I{D}_i$	$\stackrel{\left\{I{D}_i\right\}}{\to }$	Generates a random number $r_i ϵZ_p^{\ast }$
		Computes:
		$V_i=H\left(I{D}_i\parallel x\parallel r_i\right)$
Generates a random number $a_i ϵZ_p^{\ast }$		Store $\left\{I{D}_i,r_i,Sum=0\right\}$ in database
Computes:		New smart card:
$RP{W}_i=H\left(I{D}_i\parallel P{W}_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$		$S{C}_i=\left\{X,P,V_i\right\}$
$B_i=H\left(RP{W}_i\parallel a_i\right)⨁V_i$	$\stackrel{S{C}_i}{\leftarrow }$
Chooses an integer $2^4\le n_0\le 2^8$
$A_i=H\left(I{D}_i\parallel P{W}_i\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$
Update smart card:
$S{C}_i=\left\{a_i,A_i,B_i,X,P,n_0\right\}$

to provide researchers with a quick understanding of the registration phase.

3.3. Login and Mutual Authentication Phase

After $U_i$ registers with $S_j$ effectively, $U_i$ runs the login operation (L. 1) and subsequent authentication steps (A. 1–A. 2) with $S_j$:

L. 1 $U_i$ inputs $I{D}_i^{\prime },P{W}_i^{\prime }$ to $S{C}_i$. Then, $S{C}_i$ computes $A_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$ and checks whether $A_i^{\prime }$ = $A_i$. If not, $S{C}_i$ refuses the login request. Otherwise, $S{C}_i$ computes $RP{W}_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0,V_i=B_i⨁H\left(RP{W}_i^{\prime }\parallel a_i\right)$. Subsequently, $S{C}_i$ picks $aϵZ_p^{\ast }$ and computes $K_1=a\cdot P,K_2=a\cdot X,M_1=H\left(I{D}_i\parallel K_1\parallel K_2\parallel V_i\right),M_2=E_{K_2}\left(I{D}_i\parallel V_i\right)$, where $E_{K_2}\left(\cdot \right)$ is a symmetric encryption algorithm. Finally, $S{C}_i$ sends $\left\{M_1,M_2,K_1\right\}$ to $S_j$;

A. 1 After obtaining $\left\{M_1,M_2,K_1\right\}$, $S_j$ calculates $K_2^{\ast }=x{\cdot K}_1,I{D}_i^{\ast }\parallel V_i^{\ast }=D_{K_2^{\ast }}\left(M_2\right)$, where $D_{K_2}\left(\cdot \right)$ is a symmetric decryption algorithm. Then, $S_j$ searches $I{D}_i$ in its database. If $I{D}_i^{\ast }$ cannot be found, this session is aborted. Otherwise, $S_j$ moves to the next step. $S_j$ extracts $r_i^{\ast }$ stored in the database and checks whether $V_i^{\ast }$ = $H\left(I{D}_i^{\ast }\parallel x\parallel r_i^{\ast }\right)$. If they are unequal, $S_j$ understands that $U_i$’s smart card has been broken. Otherwise, $S_j$ moves to the next step. $S_j$ computes $M_1^{\ast }=H\left(I{D}_i^{\ast }\parallel K_1\parallel K_2^{\ast }\parallel V_i^{\ast }\right)$ and checks whether $M_1^{\ast }=M_1$. $S_j$ will end this session if they are unequal, which means that the integrity of $M_1$ has been corrupted. Otherwise, $S_j$ picks $bϵZ_p^{\ast }$ and computes $K_3=b\cdot P,K_4=b\cdot K_1,M_3=H\left(K_3\parallel K_2^{\ast }\parallel V_i^{\ast }\parallel I{D}_i^{\ast }\parallel K_4\right),S{K}_s=H\left(K_4\parallel I{D}_i^{\ast }\parallel V_i^{\ast }\right)$. Lastly, $S_j$ sends the message $\left\{K_3,M_3\right\}$ to $U_i$ openly;

A. 2 On receiving the message $\left\{K_3,M_3\right\}$, $U_i$ computes $K_4^{\prime }=a\cdot K_3,S{K}_u=H\left(K_4^{\prime }\parallel I{D}_i\parallel V_i\right),M_3^{\prime }=H\left(K_3\parallel K_2\parallel V_i\parallel I{D}_i\parallel K_4\right)$ and verifies if $M_3^{\prime }$ =$M_3$. If the verification fails, the integrity of $M_3$ may be corrupted, and $U_i$ ceases this session; otherwise, $U_i$ thinks about a shared session key $SK=S{K}_u=S{K}_s$.

Again, the operations are summarized in

Table 4. Login and authentication phase.

User (${\mathit{U}}_{\mathit{i}}$)	Public Channel	Server (${\mathit{S}}_{\mathit{j}}$)
Step 1:
Input $I{D}_i^{\prime },P{W}_i^{\prime }$
Compute:
$A_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$
Checks if $A_i^{\prime }=A_i$		Step 2:
Compute:		Computes $K_2^{\ast }=x{\cdot K}_1$
$RP{W}_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$		$I{D}_i^{\ast }\parallel V_i^{\ast }=D_{K_2^{\ast }}\left(M_2\right)$
$V_i=B_i⨁H\left(RP{W}_i^{\prime }\parallel a_i\right)$		Checks the validity $I{D}_i^{\ast }$
Generates a random number $a$		Extract: $r_i^{\ast }$
Compute:		Check if $V_i^{\ast }=H\left(I{D}_i^{\ast }\parallel x\parallel r_i^{\ast }\right)$
$K_1=a\cdot P,K_2=a\cdot X$		Compute: $M_1^{\ast }=H\left(I{D}_i^{\ast }\parallel K_1\parallel K_2^{\ast }\parallel V_i^{\ast }\right)$
$M_1=H\left(I{D}_i\parallel K_1\parallel K_2\parallel V_i\right)$		Checks if $M_1$ $=M_1^{\ast }$
$M_2=E_{K_2}\left(I{D}_i\parallel V_i\right)$	$\stackrel{\left\{M_1,M_2,K_1\right\}}{\to }$	Generates a random number $b$
Step 4:	$\stackrel{\left\{K_3,M_3\right\}}{\leftarrow }$	Step 3:
Computes $K_4^{\prime }=a\cdot K_3$		Computes $K_3=b\cdot P,K_4=b\cdot K_1$
$S{K}_u=H\left(K_4^{\prime }\parallel I{D}_i\parallel V_i\right)$		$M_3=H\left(K_3\parallel K_2^{\ast }\parallel V_i^{\ast }\parallel I{D}_i^{\ast }\parallel K_4\right)$
$M_3^{\prime }=H\left(K_3\parallel K_2\parallel V_i\parallel I{D}_i\parallel K_4\right)$		$S{K}_s=H\left(K_4\parallel I{D}_i^{\ast }\parallel V_i^{\ast }\right)$
Checks if $M_3^{\prime }=$ $M_3$

to provide researchers with a quick understanding of the login and authentication phase.

3.4. Password Update Phase

Here, the user $U_i$ can change the password; that is, $U_i$ only submits his/her old or frequently used password to the smart card as shown in the login phase. After the smart card recognizes $U_i$’s legitimacy by checking if $A_i^{\prime }=A_i$ and obtains $V_i$, $U_i$ can choose a new ${PW}_i^{new}$ and then updates parameters: $A_i^{new}=H\left(I{D}_i\parallel {PW}_i^{new}\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0,{RPW}_i^{new}=H\left(I{D}_i\parallel {PW}_i^{new}\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0,B_i^{new}=H\left({RPW}_i^{new}\parallel a_i\right)⨁V_i$. Lastly, the smart card replaces $A_i \mathrm{a}\mathrm{n}\mathrm{d} B_i$ with new parameters $A_i^{new} \mathrm{a}\mathrm{n}\mathrm{d} B_i^{new}$.

4. Security Analysis

In this section, we describe the formal security proof, the heuristic analysis, and the security analysis using the automated verification tool ProVerif employed to assess the security of the protocol. To facilitate the description, the proposed protocol is abbreviated as $\mathcal{P}$.

4.1. Formal Security Proof

In this part, we first provide the basics for the security proof and then prove the security of $\mathcal{P}$ under the following elliptic-curve computational Diffie–Hellman (ECCDH) assumption.

ECCDH: The hardness assumption of the ECCDH problem, as a variant of the Diffie–Hellman power multiplication [53], indicates that, given a random pair $(aP,bP)$ in $G$, no probabilistic polynomial time (PPT) adversary $\mathcal{A}$ can effectively compute $abP$ with a non-negligible advantage.

4.1.1. Basics for the Security Proof

The security of $\mathcal{P}$ was assessed using the BPR2000 [54] and Bresson [55] basics, and it was further inspired by the proof work published by Wang et al. [42]. The basics are described below.

Participants. A 2FA $\mathcal{P}$ involves two participants: $U$ and $S$. Each participant has many different instances called oracles. $U$’s $i$th instance and $S$’s $j$th instance are denoted as $U^i$ and $S^j$, respectively. Additionally, any instance can be expressed as $I$ if there are no differences.

Queries. The interaction between participants and the adversary $\mathcal{A}$ only takes place through oracle queries, which simulate the adversary’s abilities in a real attack. The kinds of queries that $\mathcal{A}$ can use are as follows:

• Execute $\left(U^i,S^j\right)$: This query catches the eavesdropping of a protocol and, correspondingly, all communication records between $U^i$ and $S^j$ are included in its output;
• Send $\left(U^i,Start\right)$: This query represents the initialization of protocol $\mathcal{P}$;
• Send $\left(I^i,m\right)$: This query captures active attacks. More specifically, by intercepting and blocking a message, an imitative message $m$ is created by $\mathcal{A}$. Subsequently, $\mathcal{A}$ conveys $m$ to $I^i$ and then obtains the feedback from $I^i$;
• Reveal $\left(I^i\right)$: This query models the misapplication of the session key. When $I^i$ recognizes the session and creates an $SK$, it returns $I^i$’s session key $SK$ to $\mathcal{A}$. Otherwise, it responds with $\perp$, which means no response;
• Test $\left(I^i\right)$: The session key’s semantic security is modeled with this query. A coin $b$ is flipped when the query is received. If $b=0$, a random secret key of the same size as $SK$ is then sent to $\mathcal{A}$. If $b=1$, then $SK$ is sent to $\mathcal{A}$. A “$\perp$” is sent to $\mathcal{A}$ if no $SK$ for $I^i$ is created. This query can be invoked momentarily (but only once) during the simulation of the adversary;
• Corrupt $\left(U^i\right)$: With this query, the secret data preserved by the user can be acquired by $\mathcal{A}$.

Accepted state: When the last prospective protocol message is accepted, an instance $I$ will enter the accepted state. Significantly, the orderly series connection of all communicated messages forms the session identifier for $I$ for the present session.

Partnering. Two instances $U^i$ and $S^j$ become partners if: (1) $U^i$ and $S^j$ are in the accepted state; (2) the session identifiers $\left(sid\right)$ of $U^i$ and $S^j$ are the same—i.e., $si{d}_U^i=si{d}_S^j$; (3) $S^j$’s partner identifier $\left(pid\right)$ is $U^i$ and vice versa.

Freshness. An instance $I$ is fresh if: (1) an accepted session key has been computed by $I$; (2) a reveal query is not sent to $I$ by $\mathcal{A}$ or its partner.

4.1.2. Security Proof

In this part, the difference lemma [56] is introduced in Lemma 1 and, with this lemma, the advantage from $\mathcal{A}$ corrupting the session key’s semantic security is derived by means of a formal theorem.

Lemma 1. 

Suppose that $E_1,E_2, \mathrm{a}\mathrm{n}\mathrm{d} F$ are events defined in a probabilistic distribution and further assume that $E_1\wedge \neg F⟺E_2\wedge \neg F$. Then, $\left|Pr\left[E_1\right]-Pr\left[E_2\right]\right|\le Pr\left[F\right]$ holds, where $Pr\left[·\right]$ denotes the probability that the event occurs.

Theorem 1. 

Define $Ad{v}_{\mathcal{P},\mathcal{D}}^{AKA}\left(\mathcal{A}\right)$ as the probability of a PPT adversary $\mathcal{A}$ corrupting the semantic security of $\mathcal{P}$ within a limited time $t$. When $\mathcal{A}$ delivers $q_h$ hash queries, $q_e$ execute queries, and $q_s$ send queries, we obtain: 

$$Ad{v}_{\mathcal{P},\mathcal{D}}^{AKA}\left(\mathcal{A}\right)\le 2C^{\prime }\cdot q_s^{s^{\prime }}+\frac{\left(q_s+q_h+q_h^2\right)}{2^{l-1}}+\frac{2{\left(q_s+q_e\right)}^2}{p}+2q_{h}Ad{v}_{\mathcal{A}}^{ECCDH}\left(t^{\prime }\right)$$

where $\mathcal{D}$ represents the password space that coincides with Zipf’s law [44] according to a probability distribution, $s^{\prime }$ and $C^{\prime }$ refer to the Zipf’s law parameters, $l$ denotes the bit length of the hash value, $p$ represents a large prime parameter, and $t^{\prime }\le t+\left(q_s+q_e+1\right)T_c$, where $T_c$ is the calculation time for the point multiplication operation of the ECC.

Proof. 

Assume that the adversary $\mathcal{A}$ can corrupt the security of $\mathcal{P}$. For such circumstances, we put forward an algorithm $\mathcal{B}$ that is able to solve the ECCDH problem. More precisely, $\mathcal{B}$ responds with $abP$ against the instance $\left(aP,bP\right)$ of the ECCDH. The proof consists of a series of games: $E_0,E_1,\dots ,E_5$. Let $Pr\left[E_i\right]$ denote the valid output $b$ of $\mathcal{A}$ in $E_i$, where $\left(i=0,1,2,3,4,5\right)$.

Game $E_0$. This game simulates a real attack. $\mathcal{A}$ has access to all the oracles; that is, we get:

$$Ad{v}_{\mathcal{P},\mathcal{D}}^{AKA}\left(\mathcal{A}\right)=\left|2Pr\left[E_0\right]-1\right|$$

Game $E_1$. This game models the random oracle $H$ by managing ${\mathsf{\Lambda }}_{\mathcal{A}}$ and a hash list ${\mathsf{\Lambda }}_{\mathcal{H}}$. In addition, this game cannot be distinguished from the actual conduction of the protocol—i.e., game $E_0$—as all oracles are modeled as the real attack. Thus, we have:

$$\left|Pr\left[E_1\right]-Pr\left[E_0\right]\right|=0$$

Game $E_2$. All types of queries are modelled in this game, as in game $E_1$, and it is terminated in the following two situations [34]: (1) a crash from the hash query output and (2) a crash from various records—$(\left(M_1,M_2,K_1\right),\left(K_3,M_3\right))$. According to the birthday paradox, we have:

$$\left|Pr\left[E_2\right]-Pr\left[E_1\right]\right|\le \frac{q_h^2}{2^{l+1}}+\frac{{\left(q_s+q_e\right)}^2}{2p}$$

Game $E_3$. This game is modeled similarly to the game $E_2$ but the only difference is that the protocol is aborted when $\mathcal{A}$ guesses the authentication parameters $M_1$ and $M_3$ accurately without initiating the random oracle query. Further, this game is difficult to differentiate from the previous game $E_2$ unless the accurate authentication parameter is rejected by $U^i$ (or $S^j$). Hence, we have:

$$\left|Pr\left[E_3\right]-Pr\left[E_2\right]\right|\le \frac{q_s}{2^l}$$

Game $E_4$. The session key $SK$ is attained without accordingly initiating the random oracle query in this game. Correspondingly, this game is difficult to differentiate from the previous game $E_3$ unless $\mathcal{A}$ queries from the random oracle $\mathcal{H}$ on $\left(K\parallel I{D}_i^{\ast }\parallel V_i^{\ast }\right)$, where $K=ECCDH\left(K_1,K_3\right)=abP$ [34]. Therefore, we have:

$$\left|Pr\left[E_4\right]-Pr\left[E_3\right]\right|\le q_{h}Ad{v}_{\mathcal{A}}^{ECCDH}\left(t^{\prime }\right)+\frac{q_h}{2^l}$$

Game $E_5$. This game is similar to the previous game $E_4$, and the only distinction is that the $Test$ query is additionally executed. When $\mathcal{A}$ initiates a hash $\mathcal{H}$ query with $\left(abP\parallel I{D}_i^{\ast }\parallel V_i^{\ast }\right)$, game $E_5$ is aborted. Accordingly, on the one hand, $SK$ can be obtained from $\mathcal{A}$ initiating the $\mathcal{H}$ query with the maximum likelihood of $\frac{q_h^2}{2^{l+1}}$. On the other hand, by means of a smart-card-loss attack and by modeling the corrupt $\left(U^i\right)$ oracle, $\mathcal{A}$ may expect to obtain the password for $U^i$ and corrupt the session key. Thanks to the “fuzzy verifier + honeywords” technology, the feasibility of $\mathcal{A}$ correctly guessing a password is not more than $C^{\prime }\cdot q_s^{s^{\prime }}$ [42]. Lastly, from the perspective of breaking the forward security to obtain the session key, the probability of obtained $abP$ is $\frac{{\left(q_s+q_e\right)}^2}{2p}$ at most. Therefore, we have:

$$\left|Pr\left[E_5\right]-Pr\left[E_4\right]\right|\le C^{\prime }\cdot q_s^{s^{\prime }}+\frac{q_h^2}{2^{l+1}}+\frac{{\left(q_s+q_e\right)}^2}{2p}$$

Factually, in this game, $\mathcal{A}$ has no advantage from using the same sized session key created by the random value to discriminate the real $SK$ when $\mathcal{A}$ does not manage to initiate a $\mathcal{H}$ query with the correct input; that is, we have $Pr\left[E_5\right]=\frac{1}{2}$.

Finally, according to games $E_0\sim E_5$ and Lemma 1, we have

$$Ad{v}_{\mathcal{P},\mathcal{D}}^{AKA}\left(\mathcal{A}\right)\le 2C^{\prime }\cdot q_s^{s^{\prime }}+\frac{\left(q_s+q_h+q_h^2\right)}{2^{l-1}}+\frac{2{\left(q_s+q_e\right)}^2}{p}+2q_{h}Ad{v}_{\mathcal{A}}^{ECCDH}\left(t^{\prime }\right)$$

□

4.2. Heuristic Analysis

Here, we employed heuristic analysis to evaluate the protocol’s security since the heuristic method, with its effective, simple, and direct procedure [7], can show that the proposed protocol not only offers desirable properties but is also resistant to various known attacks.

4.2.1. Timely Password Typo Detection

The proposed protocol decreases the computation and communication overhead in cases of input errors or illegal user-initiated attacks. More precisely, in the login phase, the smart card $S{C}_i$ verifies the password’s validity by checking whether $A_i^{\prime }$ ? = $A_i$ after the user inputs $\left\{I{D}_i^{\prime },P{W}_i^{\prime }\right\}$. If $A_i^{\prime }$ = $A_i$, then the request message is transmitted to the service provider by $S{C}_i$. Otherwise, this session is terminated. Therefore, the 2FA provides timely password typo detection.

4.2.2. User Anonymity and Un-Traceability

User anonymity refers to hiding part of the user’s information during communication, and un-traceability means that the user’s identity cannot be tracked. Practically, in order to obtain the user’s identity during the communication session, $\mathcal{A}$ needs to extract all parameters $\left\{a_i,A_i,B_i,X,P,n_0\right\}$ stored in $S{C}_i$ and obtain $\left\{M_1,M_2,K_1\right\},\left\{K_3,M_3\right\}$ from $U_i$ and $S_j$, but no identity information is preserved in the user’s smart card or conveyed over the open channel in the proposed protocol. For user traceability, $M_1=H\left(I{D}_i\parallel K_1\parallel K_2\parallel V_i\right)$ and $M_2=E_{K_2}\left(I{D}_i\parallel V_i\right)$ are variable. The user’s real identity $I{D}_i$ cannot be traced by $\mathcal{A}$. Thus, user anonymity and un-traceability can be achieved.

4.2.3. Privileged Insider Attack

A privilege insider attack refers to insiders using legitimate access to steal confidential information in the system. In the registration phase of our protocol, $U_i$ sends $I{D}_i$ to $S_j$ without any password-related information. Afterwards, an updated smart card $S{C}_i$ is transmitted to $U_i$ by $S_j$. $U_i$ activates $S{C}_i$ by providing $P{W}_i$, which is only known to $U_i$, when receiving $S{C}_i$. Finally, $U_i$ obtains the new $S{C}_i$. It can be seen that $P{W}_i$ is unavailable in plaintext by examining the parameters preserved in $S{C}_i$. Thus, the proposed protocol can resist privileged insider attacks.

4.2.4. Key-Compromise User Impersonation Attack

In order to launch a key-compromise user impersonation attack, $\mathcal{A}$ must attain the value of $V_i$, which can be calculated in two ways: (1) the legal user can compute it with known $\left\{I{D}_i,P{W}_i,B_i,a_i\right\}$ and (2) the service provider can calculate it because of the known $r_i$ and $x$. However, computational difficulties arise if $\mathcal{A}$ attempts to acquire these critical parameters; that is, $\mathcal{A}$ cannot impersonate the legitimate user $U_i$ for $S_j$. Therefore, the proposed protocol is resilient against this attack.

4.2.5. Server Impersonation Attack

In the proposed protocol, $\mathcal{A}$ needs to calculate correct $\left\{K_3,M_3\right\}$ to impersonate the service provider $S_j$. Since $M_3=H\left(K_3\parallel K_2^{\ast }\parallel V_i^{\ast }\parallel I{D}_i^{\ast }\parallel K_4\right)$ is computed by $\left\{V_i^{\ast },I{D}_i^{\ast }\right\}$ and preserved by a secure hash function, $\mathcal{A}$ has to grasp these critical parameters or estimate the valid values in polynomial time. Next, $\mathcal{A}$ must grasp the secret values $\left\{x,r_i,I{D}_i^{\ast }\right\}$. In any case, it is computationally challenging for $\mathcal{A}$ to estimate these private parameters in polynomial time. As a result, the messages cannot be calculated by $\mathcal{A}$ correctly, and the proposed protocol is resistant against server impersonation attacks.

4.2.6. Password-Guessing Attack

In the 2FA protocol, $\mathcal{A}$ can eavesdrop on all information through the open channel and extract all parameters from the smart card of the user. Then, analyses of the password-guessing attack can be conducted from two angles: (i) On the one hand, with an unknown user’s identity $I{D}_i$, $\mathcal{A}$ guesses $\left\{I{D}_i^{\prime },P{W}_i^{\prime }\right\}$ within the dictionary space. Then, $\mathcal{A}$ will be capable of calculating the relevant parameters $RP{W}_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$, and $A_i^{\prime }=H\left(I{D}_i^{\prime }\parallel P{W}_i^{\prime }\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$. Afterwards, $\mathcal{A}$ verifies whether $A_i^{\prime }$ ? = $A_i$. Finally, the above procedures are repeated until the password and identity are guessed by $\mathcal{A}$ accurately. Obviously from the perspective of theory, the relevant $I{D}_i^{\prime }$ and $P{W}_i^{\prime }$ that meet $A_i^{\prime }$ ? = $A_i$ can be estimated by $\mathcal{A}$ in polynomial time. Factually, the guessing size for the password and identity space can be represented as $\frac{\left|{\mathcal{D}}_{ID}\right|\ast \left|{\mathcal{D}}_{PW}\right|}{n_0}$, where $2^4\le n_0\le 2^8$, and ${\mathcal{D}}_{PW}$ and ${\mathcal{D}}_{ID}$ represent the guessing spaces of the password and identity, respectively. Thus, the valid password and identity cannot be guessed by $\mathcal{A}$ effectively because $\frac{\left|{\mathcal{D}}_{ID}\right|\ast \left|{\mathcal{D}}_{PW}\right|}{n_0}\approx 2^{32}$ is larger than the finite $Sum$ that denotes the time allowed by the smart card for an attacker until login failure, when $\left|{\mathcal{D}}_{ID}\right|=\left|{\mathcal{D}}_{PW}\right|={10}^6$ and $n_0=2^8$ [41]. (ii) On the other hand, the identity $I{D}_i$ of the user is likely to be leaked by $\mathcal{A}$. Nevertheless, $\mathcal{A}$ is unable to estimate the password $P{W}_i$ correctly since there are still a large number of password candidates $\frac{\left|{\mathcal{D}}_{PW}\right|}{n_0}\approx 2^{12}$ that meet the formula $A_i=H\left(I{D}_i\parallel P{W}_i\parallel a_i\right) \mathrm{m}\mathrm{o}\mathrm{d} n_0$. Therefore, no matter whether $\frac{\left|{\mathcal{D}}_{ID}\right|\ast \left|{\mathcal{D}}_{PW}\right|}{n_0}\approx 2^{32}$ or $\frac{\left|{\mathcal{D}}_{PW}\right|}{n_0}\approx 2^{12}$, the authentic prize cannot be attained by the adversary using a guessing attack.

4.2.7. De-Synchronization Attack

The de-synchronization attack interferes with the parameter updates. Although the initial message stream can be blocked by the attacker, the service provider does not have to change any critical parameters in the database. Therefore, the consistency of the following communications will not be affected by this procedure. Furthermore, even if the attacker can block the second message stream, the consistency of communications between the service provider and user will not be influenced by it either, as the smart card will change its data only if $M_3^{\prime }$ ? = $M_3$ holds. As a result, the proposed protocol is resilient against de-synchronization attacks.

4.2.8. Replay Attack

Suppose that the login request information $\left\{M_1,M_2,K_1\right\}$ for the previous session has been acquired by $\mathcal{A}$ over an open channel. When $\mathcal{A}$ replays $\left\{M_1,M_2,K_1\right\}$ to $S_j$, $S_j$ verifies $M_1$. Since $V_i$ is updated in every successive session, $M_1$ is also changed to $M_1^{new}$ each time. Therefore, $S_j$ cannot check the previous $M_1$ in the present session. In addition, if $\mathcal{A}$ replays $\left\{K_3,M_3\right\}$ to $U_i$, the previous message $M_3$ cannot be checked by $U_i$ in the present session. Accordingly, the proposed protocol is resistant against replay attacks.

4.2.9. Man-in-the-Middle Attack

Assume that $\mathcal{A}$ manages to block and intercept the login request information $\left\{M_1,M_2,K_1\right\}$ and the challenge message $\left\{K_3,M_3\right\}$ and extracts all parameters for $S{C}_i$ in the proposed protocol. To initiate an effective man-in-the-middle attack, $\mathcal{A}$ has to falsify the new message stream $\left\{\left\{M_1^{\ast },M_2^{\ast },K_1^{\ast }\right\},\left\{M_3^{\ast },K_3^{\ast }\right\}\right\}$ or replay the previous message stream. As mentioned above, the presented protocol is resilient against replay and impersonation attacks. Neither the service provider nor the user can authenticate $\mathcal{A}$ successfully. Thus, the presented protocol can resist man-in-the-middle attacks.

4.2.10. Mutual Authentication

In the presented protocol, $S_j$ verifies $U_i$ by checking whether $M_1^{\ast }=M_1$, while $U_i$ checks $S_j$ by verifying if $M_3^{\prime }=M_3$. After mutual authentication, a common session key $SK$ is negotiated by $S_j$ and $U_i$; that is, mutual authentication can be achieved safely with the proposed protocol.

4.2.11. Forward Secrecy of the Session Key

The forward secrecy of the session key indicates that, although the long-term key $x$ of $S_j$ is leaked to $\mathcal{A}$, all previous session keys remain safe. Assume that $\mathcal{A}$ eavesdrops further: $\left\{\left\{M_1,M_2,K_1\right\},\left\{K_3,M_3\right\}\right\}$. To calculate the prior session key $SK=H\left(K_4\parallel I{D}_i\parallel V_i\right)$, $\mathcal{A}$ needs to know $I{D}_i\parallel V_i=D_{K_2}\left(M_2\right)=D_{a\cdot X}\left(M_2\right)$ and $K_4=b\cdot K_1=abP$. Further, computational difficulties arise for $\mathcal{A}$ when they try to obtain the stochastic parameters $a$ or $b$. Thus, $\mathcal{A}$ is unable to calculate $SK$. Forward secrecy can be achieved successfully with the presented 2FA protocol.

4.3. Formal Verification Analysis Using ProVerif

ProVerif is the latest popular automated verification tool [43]. By running the process in an infinite message space and session simulation, it can verify whether the authentication protocol can: (1) ensure the confidentiality of a specially defined string, (2) ensure the authentication of all entities, and (3) prevent an attacker from tracking the secret string (i.e., the session key).

4.3.1. Definition of Parameters in ProVerif

In Figure 2, we provide the definitions of the parameters in ProVerif, where the public channel (ch) and secure channel (sch) are used for communication between the user and service provider. Further, SKusecret is a session key for the user. All functions, as well as related equations, are also illustrated. Two queries (i.e., lines 24 and 25) were run to test whether the session key was secure and whether the user could obtain authentication from the service provider.

4.3.2. Code for Process in ProVerif

In Figure 3, lines 26–53 of the code (respectively, lines 55–77 of the code) are dedicated to the registration and authentication of the user (respectively, the registration and authentication of the service provider). Then, through the code process ((!User(Idi,PWi))|(!GWN(x,X,P))) that is used to run two entities’ processes in parallel, we can obtain running results for the program codes (see lines 85–89 in Figure 3; i.e., the verification summary). The result in line 87 indicates that the attacker cannot calculate or track the session key SKusecret, and the last line (i.e., line 88) denotes that the event UserKey(UK) is correctly executed after the event ServerKey(SK) and shows that the user has obtained authentication from the service provider.

5. Summary Comparison: Functionality and Performance

To show the better balance of availability and security in the presented 2FA protocol, this section provides a comparative evaluation focusing on the functionality analyses, communication, and calculation overhead in the schemes developed by Tsai et al. [36], Zhu et al. [38], Liu et al. [35], Roy et al. [37], and Islam et al. [5] and in the presented 2FA protocol.

5.1. Security Evaluation Criteria

The hinge that can be used to assess the goodness of the functionality of an authentication protocol is whether the protocol design conforms to the fundamental principles. Wang et al. [42] and Wang et al. [57] provided conclusions regarding the security criteria in terms of AKA protocols. On the basis of our security analysis demonstrated above,

Table 5. Security evaluation criteria for AKA protocols.

Notation	Description	Notation	Description
${EC}_1$	User anonymity and un-traceability	${EC}_6$	Provision of key agreement
${EC}_2$	Password verifier table is unwanted	${EC}_7$	Mutual authentication verification
${EC}_3$	Password exposure is avoidable	${EC}_8$	No clock synchronization
${EC}_4$	Timely typo detection	${EC}_9$	Sound capacity for repair
${EC}_5$	No smart-card-loss attack	${EC}_{10}$	Forward secrecy

presents the safety criteria designed in [42,57] and then ten evaluation criteria (${EC}_{\ast }$) are described.

5.2. Functionality Comparison

In the following, a comprehensive functionality comparison between the 2FA protocol and the five most advanced protocols [5,35,36,37,38] is presented using the evaluation indicators mentioned in Section 5.1.

The comparison results are depicted in

Table 6. Functionality comparison of relevant AKA protocols.

Protocols	Ref.	Evaluation Criteria
		${\mathit{E}\mathit{C}}_1$	${\mathit{E}\mathit{C}}_2$	${\mathit{E}\mathit{C}}_3$	${\mathit{E}\mathit{C}}_4$	${\mathit{E}\mathit{C}}_5$	${\mathit{E}\mathit{C}}_6$	${\mathit{E}\mathit{C}}_7$	${\mathit{E}\mathit{C}}_8$	${\mathit{E}\mathit{C}}_9$	${\mathit{E}\mathit{C}}_{10}$
Tsai et al. (2013)	[36]	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$✕$	$✕$
Zhu et al. (2015)	[38]	$\surd$	$\surd$	$✕$	$\surd$	$✕$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$
Liu et al. (2016)	[35]	$✕$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$✕$	$✕$	$\surd$
Roy et al. (2018)	[37]	$\surd$	$\surd$	$\surd$	$\surd$	$✕$	$\surd$	$\surd$	$✕$	$\surd$	$✕$
Islam et al. (2018)	[5]	$\surd$	$\surd$	$\surd$	$\surd$	$✕$	$\surd$	$\surd$	$\surd$	$✕$	$\surd$
2FA protocol	[-]	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$	$\surd$

, where the notation $\surd$ means that the protocol demonstrates the property, and $✕$ denotes that the protocol does not demonstrate the property. As shown in Table 6, the protocol from [5] cannot fulfill ${EC}_5$ and ${EC}_9$, since the smart card in [5] stores an explicit password validation parameter and is not resistant against password-guessing attacks and key-compromise user impersonation attacks. Furthermore, smart card revocation of function is not provided in [5].

The protocol in [35] cannot provide user anonymity given the transmission of plaintext identities over an open channel, and clock synchronization attacks cannot be resisted; that is, the protocol in [35] does not demonstrate ${EC}_1,{EC}_8$, and ${EC}_9$. Further, Tsai et al.’s protocol [34] does not demonstrate ${EC}_9$ and ${EC}_{10}$, and Roy et al.’s protocol [37] does not demonstrate ${EC}_5,{EC}_8$, and ${EC}_{10}$. Specifically, the protocol in [36] cannot achieve forward secrecy due to the storage of secret key values in the corresponding device [36]. Although only three chaotic-map operations are performed in the protocol in [37], it is still incapable of maintaining forward secrecy once the long-term key is compromised. In addition, the password validation parameter is stored explicitly in the smart card and the plaintext identity is transmitted over the open channel in Roy et al.’s protocol [37], which makes it easy for the attacker to intercept, resulting in the information from the communicator not being synchronized. Similarly, Zhu et al.’s protocol [38] is vulnerable to password-guessing attacks and smart-card-loss attacks due to the smart card storing an explicit password validation parameter. Accordingly, [38] does not demonstrate ${EC}_3$ and ${EC}_5$.

In general, by observing the Table 6, it can be deduced that the proposed 2FA protocol is the only one that meets the expected security and usability goals and is immune to various known attacks. The proposed 2FA protocol is the only protocol that is resistant against diverse known attacks and can meet the ideal safety and availability goals.

5.3. Communication and Computation Cost Comparison

To provide a fair presentation of the computation and communication cost comparison, drawing on previous research work [58,59], notations with the corresponding running time and running platform are shown in

Table 7. Notations with related abbreviations.

Notation	Description	Time/ms	Running Platform
$T_c$	The computing time for the extended chaotic-map operation	0.294	Ubuntu 18.04 with Intel i7-4710HQ, 2.5 GHz CPU and 8 G memory
$T_m$	The computing time for elliptic curve point multiplication	0.294
$T_s$	The computing time for the symmetric cryptography operation	0.021
$T_h$	The computing time for a one-way hash operation	0.003

. For the evaluation of the communication overhead in the login and authentication phase, the length of the safety parameters is defined in

Table 8. Lengths of the safety parameters.

Parameter	Length/Bits
Timestamp	16
User identity	160
Random number	128
Elliptic curve point	160
The output of the hash function	160
The ciphertext of the symmetric encryption/decryption algorithm	128

.

As shown in

Table 9. Communication and computation costs in the login and authentication phase.

Protocols	Computation Cost			Total Communication Cost	Message Rounds
	User	Service Provider	Total Running Time
Tsai et al. (2013) [36]	$5T_h+T_m$	$5T_h+{3T}_m$	1.206 ms	960 bits	3
Zhu et al. (2015) [38]	$4T_h+2T_c$	$6T_h+2T_c$	1.206 ms	736 bits	2
Liu et al. (2016) [35]	$6T_h+3T_c$	$6T_h+3T_c$	1.8 ms	1280 bits	3
Roy et al. (2018) [37]	9$T_h+2T_c$	$6T_h+T_c$	0.927 ms	960 bits	2
Islam et al. (2018) [5]	$7T_h+2T_m+T_s$	$5T_h+2T_m+T_s$	1.254 ms	768 bits	3
2FA protocol	$10T_h+3T_m$	$8T_h+3T_m$	$1$.818 ms	1376 bits	2

, the total computation cost for the 2FA protocol is 1.818 ms. Compared with other protocols, the 2FA protocol has slightly higher computing costs (and is closest to the cost of the scheme from [35]), allowing it to obtain higher robustness in terms of safety. The total communication cost of the 2FA protocol is 1376 bits. It can be seen that the communication costs of the relevant protocols are slightly lower than that of the 2FA protocol. It can be seen that only two communication message streams are required in the 2FA protocol, while three message streams are required in the protocols from [5,35,36].

In conclusion, it can be seen that the proposed 2FA protocol is the most suitable for two-factor authentication and key agreement and balances security and availability in mobile computing.

6. Conclusions

The authentication mechanism has always been an effective way of guaranteeing secure communication in mobile computing. However, existing authentication protocols weaken security in the pursuit of high efficiency. In this study, we designed a robust and effective 2FA protocol and then fully proved the protocol’s security and good performance. The safety analysis results using the ProVerif tool demonstrated that the proposed 2FA protocol was able to achieve semantic security, satisfy all ten evaluation criteria (${EC}_1-{EC}_{10}$), and provide mutual authentication for and preserve the security of the session key. By comparing the performance of six state-of-the-art protocols and the presented 2FA protocol, we showed that the designed 2FA protocol is more practical. Its design ideas presented in our paper are generic and may be used as guidelines to design AKA protocols. As our ongoing research work, we will focus on a more secure authentication protocol that also considers physical attacks for various situations in mobile computing with IPv6 over low-power wireless personal area networks (6LoWPAN) [60].