A secure three-factor authentication protocol for mobile networks.

User authentication is a necessary mechanism to communicate securely for mobile networks. Recently, Xie et al. have discussed a three-factor authentication (3FA) scheme using elliptic curve cryptography (ECC) for mobile networks and claimed that it is secure even if the user's two factors are known to the attacker. However, in this paper, we cryptanalyse their scheme and find the offline password guessing and user impersonation attacks in it. We also propose a secure 3FA scheme for mobile networks using ECC by removing the weaknesses of their scheme. We show the formal security verification of the proposed scheme using the ProVerif tool. We discuss its informal security analysis to show that it is resistant to the various known attacks. We also present its performance analysis along with the related schemes in terms of computational cost and security features, and show that it offers more security features as compared to the related schemes.