Skip to Main Content
In 2008, Khan et al. proposed a remote user authentication scheme on mobile device, using hash-function and fingerprint biometric. In 2010, Chen et al. discussed some security weaknesses of Khan et al.'s scheme and subsequently proposed an improved scheme. Recently, Truong et al. have demonstrated that in Chen et al.'s scheme, an adversary can successfully replay an intercepted login request. They also showed how an adversary can cheat both the legal participants, by taking advantage of the fact that the scheme does not provide anonymity to the user. In this paper, we show that Chen et al.'s scheme suffers from some additional drawbacks which were not presented by Truong et al. in its analysis.