Recently, Tsai et al., Liao et al. and Li et al. each proposed a multi-server authentication protocol. They claimed that their protocols were secure, and that they could withstand various attacks. However, we found some security loopholes in each of their schemes. For example, the schemes of both Tsai et al. and Liao et al. are vulnerable to a server spoofing attack by an insider server while that of Li et al. is exposed to to the lost smart card password-guessing attack. In addition, the scheme of Liao et al. is vulnerable to the off-line password-guessing attack. In this study, we review and demonstrate the effects of these attacks on each scheme. Then based on the scheme of Li et al., we developed a novel method and examined its security using several features. The security analysis confirmed that our protocol outperformed the scheme of Li et al. in terms of its security features when subjected to the lost smart card password-guessing attack.
