A Lightweight Three-Factor Authentication and Key Agreement Scheme for Multigateway WSNs in IoT

(e Internet of (ings (IoT) has built an information bridge between people and the objective world, wherein wireless sensor networks (WSNs) are an important driving force. For applications based on WSN, such as environment monitoring, smart healthcare, user legitimacy authentication, and data security, are always worth exploring. In recent years, many multifactor user authentication schemes for WSNs have been proposed using smart cards, passwords, as well as biometric features. Unfortunately, these schemes are revealed to various vulnerabilities (e.g., password guessing attack, impersonation attack, and replay attack) due to nonuniform security evaluation criteria. Wang et al. put forward 12 pieces of widely accepted evaluation criteria by investigating quantities of relevant literature. In this paper, we first propose a lightweight multifactor authentication protocol for multigateway WSNs using hash functions and XOR operations. Further, BAN logic and BPR model are employed to formally prove the correctness and security of the proposed scheme, and the informal analysis with Wang et al.’s criteria also indicates that it can resist well-known attacks. Finally, performance analysis of the compared schemes is given, and the evaluation results show that only the proposed scheme can satisfy all 12 evaluation criteria and keep efficient among these schemes.


Introduction
As the third revolution of the information technology industry, Internet of ings (IoT) has been developing for over 20 years. During this period, more and more physical objects embedded with sensors and terminal devices are constantly connected to IoT to exchange information. For an instance, in wireless sensor networks (WSNs), tens of thousands of different sensors are deployed everywhere (e.g., architectures, bridges, and intelligent terminals). ese devices collect the real-time data from surrounding environment or target objects and, at fixed periods, forward the collected data directly to nearby gateway nodes for further analysis. en, application systems access the data through the network, to further provide various personalized services. In heterogeneous WSNs, any insecure terminal nodes possibly threaten the whole network's security as the flexible access mode; potential vulnerabilities continually come forth due to the complexity of heterogeneous networks [1]. us, it is necessary to design an authentication protocol to ensure that only legitimate users have access to the network [2]. Generally, as far as sensor nodes are resource-constrained in some aspects such as low energy, insufficient computing capabilities, and lack of memory space, many expensive cryptographic primitives are not suitable. As a whole, the designed proposal for WSNs should be balanced well in both security and efficiency.
When it was 1981, Lamport [3] proposed the passwordbased authentication scheme, and in 1991, Chang and Wu [4] pioneered the smart card-based authentication scheme. Henceforth, achievements on single-factor identity authentication protocols for WSNs emerge in an endless stream. Until 2009, combining the smart card with password, Das [5] put forward a pioneering work on multifactor authentication protocols for WSNs. However, it was revealed to many weaknesses, i.e., destitution of mutual authentication, and vulnerabilities to password guessing attack, sensor node capture attack, and denial-of-service attack (DoS) [6][7][8]. Later, many multifactor authentication schemes that asserted high security and efficiency were proposed yet they were prone to various attacks [9,10]. Xue et al. [11] presented a temporal-credential-based mutual authentication and key agreement scheme for WSNs. Soon afterwards, loopholes were pointed out in their scheme, i.e., vulnerabilities to offline password guessing attack, user tracing, impersonation attack, and stolen-verifier attack, as well as the lack of user anonymity [12][13][14]. In recent years, biological information of human bodies, such as fingerprint and iris, has been excavated for authentication. With its unforgeability, uniqueness, and stability, biometric authentication technology is inherently convenient, reliable, and promising [15]. Yuan [16] took human's fingerprint as a third factor to achieve user authentication for WSNs, which was lightweight. Nevertheless, their scheme was pointed out that it did not withstand offline password guessing attack, privileged insider attack, and gateway impersonation attack. en, Li et al. [17] introduced a three-factor authentication scheme for WSNs using biometric features. Subsequently, their scheme was illustrated that it could not resist to stolen smart card attack and support forward secrecy [18]. Additionally, in the practical applications of WSNs, multiple gateways are usually deployed to jointly manage multiple areas. As such, the user can access any sensor node for the real-time data in any area. Research on multigateway-based authentication protocols is also a deserving discussion. Amin et al. [19] proposed a two-factor multiple gateways' authentication protocol using hash functions. Later, Wu et al. [20] believed that their scheme did not realize mutual authentication and resist impersonation attack; then, they put forward a new scheme. And, Srinivas et al. [21] also found many flaws in [19], i.e., stolen smart card attack and sensor node spoofing attack, and then, they presented a three-factor authentication scheme using hash functions. However, their scheme was also revealed to vulnerability to sensor node capture attack and nonsupport for user anonymity. In 2019, Guo et al. [22] found that the scheme designed by Wu et al. [20] could not resist to stolen smart card attack and session key reveal attack. In order to address these drawbacks, Guo et al. [22] presented a new scheme based on biometric features. Recently, Vinoth et al. [23] proposed a secure multifactor authentication key agreement scheme for industrial IoT, which was insecure as they claimed. It actually could not deal with such attacks such as sensor node capture attack, DoS attack, and replay attack.
As all mentioned above, these schemes are exposed to various vulnerabilities constantly, which in fact are trapped into a "break-propose-break" cycle. Security properties of one scheme is determined by an evaluation standard system, thereby researchers always find new flaws under different systems. In 2018, on the basis of the previous research studies, Wang and Wang [24] summarized and put forward security criteria for two-factor authentication protocols, which are recognized by the industry at present. In these criteria, 12 pieces of independent and fundamental rules are contained that multifactor authentication protocols shall satisfy. Specific content of the criteria can be referred to [24]; we call it "12-Criteria" here for the sake of convenience.
In terms of 12-Criteria, most existing multifactor authentication protocols cannot satisfy all. is paper will put forward a new lightweight three-factor authentication and key agreement scheme for multigateway WSNs, and main contributions are summed up as below: (1) We first reanalyse Guo et al.'s protocol [22]. And, in accordance with 12-Criteria, we further point out some vulnerabilities and drawbacks that still exist in their scheme, including no repairability, improper treatment of biological factors, offline password guessing attack, and lack of forward secrecy. (2) In the light of the 12-Criteria, we put forward a new lightweight three-factor authentication and key agreement scheme for the multigateway environment. In our scheme, biometric features, as an important factor, are extracted and validated by fuzzy extractor [25]. And, honey_list [24] is introduced to assist the effective smart card logout. (3) Formal and informal security analyses are given amply to prove the correctness and security of the proposed scheme, and comparisons with similar research studies show that this new scheme achieves a superior balance between security and efficiency. e reminder of this paper is organized as follows. e relevant background is introduced in Section 2. In Section 3, discussions of some security flaws in Guo et al.'s work [22] are given. e proposed protocol and the corresponding security analysis are presented in Sections 4 and 5, respectively. e performance of the proposed protocol is evaluated in Section 6, and finally, the whole paper is concluded in Section 7.

Preliminaries
is section briefly introduces some necessary notations, system model, and adversary model, as well as preknowledge about formal proofs.

Notations.
e related notations used in this paper are described in Table 1. Figure 1, wherein three roles, i.e., users, gateway nodes (GWNs), and sensor nodes, are included. Considering the distance measure, the relatively close node is referred to the home gateway node (HGWN), while the opposite is the foreign gateway node (FGWN). e communication processes are summarized as follows.

System Model. A multigateway system model is illustrated in
While a legitimate user attempts to communicate with the sensor node, first he needs to login successfully and send a message to inform HGWN. After the reception of the message, HGWN first checks its database with the key information of the target sensor node as an index. Here, two cases would be taken into an account. Case 1 is presented in steps A-④, wherein if the target sensor node exists in the database, HGWN authenticates the user and sends a message to the sensor node. en, the sensor node authenticates HGWN and returns a message. After the complete verification of the returned message, HGWN returns a message to the user. Similarly, once the message is verified correctly by the user, the three parties can derive a common session key for further communication. While Case 2 is shown in steps 1-8, that is, the target sensor node does not exist in the database, HGWN broadcasts the request message to other nodes. When FGWN receives that and finds that the wanted sensor node exists in its database, it sends a message to HGWN. en, HGWN returns a message to the user. After a complete authentication process, the user, FGWN, and the sensor node can negotiate the very session key.

Notations and Formulas of Ban Logic.
e Burrows-Abadi-Needham logic [26], BAN logic for short, plays a positive and effective role when proving that one scheme can support authentication and key agreement among communicating participants. Formally, it needs three steps including idealization of interaction messages in the protocol, initial assumptions according to specific situations, and achievements of expected goals by inference rules. We first present the basic notations of BAN logic in Table 2.  (i) (R1) Message-meaning rule: if P concludes that the secret K or Y is shared with Q and sees 〈X〉 Y or (X) K , then P believes Q once said X: (ii) (R2) Freshness rule: if P believes X is fresh, then P believes (X, Y) is also fresh: (iii) (R3) Belief rule: if P believes X and Y, then P believes the combination of X and Y: (iv) (R4) Nonce-verification rule: if P believes that X is fresh and Q once said X, then P believes that Q believes X: (v) (R5) Jurisdiction rule: if P believes Q has jurisdiction over X and Q believes X, then P believes X: (vi) (R6) Seeing rule: if P once received a formula and knew the associated key, then P once saw the components of the formula: (vii) (R7) Session key rule: if P believes X is fresh and Q believes X, then P believes he shares the key K with Q: 2.4. Adversary Model. Combing with the 12-Criteria, we list pieces of widely accepted valid assumptions to show the capabilities of an adversary A, accordingly to analyse the security of the authentication and key agreement protocols.
(i) When entities in WSN communicate with each other over an insecure wireless channel, A can eavesdrop and intercept all messages transmitted over a public channel and is capable of tempering with and deleting the intercepted messages. In addition, A can participate in running the protocol as a legitimate entity. (ii) In reality, users' devices and sensors are usually equipped with the hardware to prevent reading and tempering with data illegally [27], but to adhere to the extreme-adversary principle [28], it is reasonable to assume that when the user's device or the sensor is captured by A, A has the ability to obtain the data stored in the memory of the captured sensors through side channel attack [24]. (iii) A is capable of enumerating the Cartesian products of the user's identity and password. Besides, in the n-factor authentication protocol, A can obtain (n − 1)factors at most. (iv) Only when evaluating the forward secrecy of the protocol, A can obtain the long-term private key of a gateway node or a sensor node.

Security Model.
To formalize our proposed proposal later, the BPR model [29] can be introduced in this section, i.e., depictions of the random oracle model and definition of authentication and key-exchange (AKE) security.

Notations
Descriptions P| ≡ X P believes X is true P⊲X P sees X and is capable of reading and repeating it P| ∼ X P once said X; at some time, P has sent the message containing X P|⟹X P has control or jurisdiction over X #(X) X is fresh which means it was never sent before the current execution of the protocol P⟷ K Q Both P and Q can use the shared key K to communicate with each other, and K is an intact key P⟺ X Q X is a secret only known to P and Q and possibly to principals trusted by them 〈X〉 Y X combined with Y among the three communicators during a normal interaction. (ii) Send(Π * I , m): it represents the active attack, which allows A intercepts, forges the message, further sends it to Π * I , and obtains the corresponding response.
(iii) Reveal(Π * I ): it models abuse of the session key. Once Π * I accepts the current session and generates a session key SK, it will return SK to A; otherwise, return ⊥. (2) they both have the same sid;

Freshness. A fresh Π *
I satisfies that (1) Π * I is accepted and owns its session key; (2) A does not query Reveal( * ) to Π * I or its partner; (3) since P runs, A queries Corrupt( * )to Π * I or its partner once at most. Definition 1. (AKE security) Given Succ(A) denotes an event, that is, A makes Test( * ) queries to several new accepted instances and can guess the right b ′ satisfying b � b ′ . en, the advantage of A breaking the AKE security of P can be defined as Adv AKE For any adversary capable of breaking P in probability polynomial time (PPT), Adv AKE P (A)is negligible; then, we say P achieves AKE security.

Cryptanalysis of Guo et al.'s Scheme
e scheme designed by Guo et al. [22] is composed of five parts, including system setup, registration, login, authentication, and password change. Here, we have to leave out the review of their scheme due to space constraints, and readers can refer to [22]. us, on the basis of the aforementioned assumptions, security flaws in their scheme are analysed in this section later.
No Sound Repairability. As a usual case, those discarded smart cards are not in the safe keeping of users. If unfortunate, his smart card is captured by an attacker A. A possibly launches the offline password guessing attack. erefore, it is essential to provide a method to cancel the smart card of the user in multifactor authentication protocols.

Improper Treatment of Biometric Factors. As described in this protocol, after the user enters his biometric factor BIO
which is a key parameter to verify the true identity of the user. In practice, however, a certain error bit always occurs in the extraction of biometric features (e.g., fingerprint and iris) by reading devices, that is, biometric features extracted each time are not always identical. erefore, O i calculated by SC may not equal to that obtained during the user's registration phase, which may result in the failed authentication even if the user has input the right password.
Offline Password Guessing Attack. In the login phase, A is assumed to have the ability to obtain two of the three authentication factors. Given that A has accessed the user's identity ID i and biometric factor BIO i , then he can launch offline password guessing attack as the following process.

A guesses a possible password PW
Lack of Forward Secrecy. Given that the long-term secret key of the GWN is revealed, A can grab the private key of the sensor and further restore previous session keys. (i) Case 1: (1) A obtains x hg of HGWN and eavesdrops the message M 1 to gain the identity SID j of the userpointed communication object S j . en, A computes f j � h(SID j ‖ x hg ).
(2) A eavesdrops messages M 2 and M 3 and then In this way, the session key can be derived by A as SK � h(r s ‖r hg ‖r u ).
(ii) Case 2: (1) A obtains x fg of FGWN and computes f j � h(SID j ‖ x fg ) after eavesdropping the message M 1 . (2) A eavesdrops messages M 6 and M 7 and then calculates with ease.

The Proposed Scheme
In this section, we present a lightweight three-factor authentication and key agreement scheme for multigateway  Figure 2, this phase involves two parts, sensor registration and user registration. Both sensor nodes and users need to register their essential information with the closest gateway, namely, HGWN.

Sensor Registration
Step 1: S j ⟹HGWN: SID j . S j sends its identity SID j to HGWN over a private channel, and HGWN stores SID j to its database for checking whether or not S j is registered.
Step 2: HGWN⇒S j : a private channel. After the reception of x j , S j saves it secretly.

User Registration
Step 1: U i ⟹HGWN: ID i , HPW i , β i . U i inputs his username ID i , the password PW i , and his biometric information BIO i . Next, he chooses a number r i ∈ Z * p at random and then computes Step 2: HGWN⟹U i : SC TID i , β i , e i , ID hg . HGWN selects a pseudoidentity TID i for U i and calculates en, HGWN stores ID i , K i , honey list � 0} into its database and TID i , β i , e i , ID hg to SC, where honey listrecords the number of the user logon failures.
Step 3: Next, U i stores B 1 , B 2 into his SC.

Login
Step 1: U i first inputs ID i , PW i , and BIO i ; then, SC If so, turn to the next step; otherwise, return a logon failure message and terminate this session.
Step 2: SC chooses a timestamp T 1 and a random number r u ∈ Z * p and then calculates

Authentication and Key Agreement.
After the reception of U i 's request to communicate with SID j , HGWN first confirms whether the specified sensor S j is located within its communication range. Specifically, if HGWN can query its local database for SID j , then the authentication can be conducted as described in Case 1 (see Figure 3); otherwise, run as shown in Case 2 (see Figure 4).
(i) Case 1: Step 1: after receiving M 1 , HGWN records the current timestamp is true; if so, it turns into the next step; otherwise, it sets honey list � honey list + 1 and returns a logon failure message to U i . Note that once honey list ≥ 10, U i 's account would be frozen, and the session is also terminated.
Step 2: HGWN ⟶ S j : M 2 � D 4 , D 5 , D 6 , T 2 . HGWN selects r hg ∈ Z * p randomly and then computes Step 3: After the reception of M 2 , S j records the timestamp T 3 and checks the freshness of T 2 . Next, and checks whether the equation ; if so, it turns to the next step; otherwise, it terminates the current session.
Step 4: Step   for U i and continues to compute D 9 � r s ⊕h(x i � � � �r u ), Step 7: after the reception of M 4 , U i takes down the current timestamp T 5 and checks the validity of T 4 . Next, U i computes r s � D 9 ⊕h(x i � � � �r u ), r hg � D 10 ⊕h if so, then it turns to the next step; otherwise, it discontinues the session.
Step 8: SC calculates e i ′ � HPW i ⊕K i ⊕x i ′ and substitutes TID i ′ , e i ′ for TID i , e i .
(ii) Case 2: Step 1: similarly, after the reception of M 1 , HGWN takes down the current timestamp T 2 . If |T 2 − T 1 | ≤ ΔT, then M 1 is valid; otherwise, the session is discontinued. Next, HGWN computes If the equation holds, HGWN runs the next step; otherwise, it sets honey list � honey list + 1, returns a logon failure message to U i , and aborts the session.
Step 3: FGWN ⟶ HGWN: M 3 � D 4 , ID fh , T 3 . FGWN finds SID j in its database, then records the present timestamp T 3 , and computes Step 4: Step 5: after receiving M 4 , U i records the time stamp T 5 and checks the validity of T 4 . en, , and x i ′ � D 6 ⊕h(TID i ′ � � � � � x i ) and checks equation holds, U i continues the next step; otherwise, it terminates the session.
Step 6: U i ⟶ FGWN: M 5 � TID i , D 9 , D 10 , T 5 . U i selects a random number r u ′ ∈ Z * p and computes Step 7: after the reception of M 5 , FGWN records T 6 and verifies the freshness of T 5 . Next, FGWN computes r u ′ � D 9 ⊕ x g and further checks whether FGWN continues the next step; otherwise, it discontinues the session.
Step 8: FGWN ⟶ S j : M 6 � D 11 , D 12 , D 13 , T 6 . FGWN selects r fg at random and computes Step 9: after the reception of M 6 , S j takes down the timestamp T 7 and verifies the freshness of T 6 . Next, S j calculates r fg � D 11 ⊕h(x j � � � � � T 6 )and r u ′ � D 12 ⊕ h(r fg � � � � � x j � � � � � T 6 ) and checks the equation . If the equation holds, S j turns to the next step; otherwise, it terminates the session.
Step 12: FGWN ⟶ U i : Step 13: after receiving M 8 , U i thereupon records the timestamp T 9 and checks the validity of T 8 . Further, U i computes r s � D 16 ⊕h(x g � � � � � r u ′ ), r fg � D 17 ⊕h(r u ′ � � � � � x g ), and SK u � h(r u ′ � � � � � r fg � � � � � r s � � � �ID fg )and checks whether the equation holds; if so, it continues the next step; otherwise, it discontinues the session.
Step 14: SC computes e i ′ � HPW i ⊕K i ⊕x i ′ and replaces TID i , e i with TID i ′ , e i ′ .

Password Update
Step 1: U i first inputs his ID i , PW i , and BIO i . SC and HPW i � h(PW i � � � �α i � � � �r i )and checks the equation If the equation holds, the next step can be run; otherwise, a logon failure message would be returned and the login request also would be terminated.
Step 2: U i inputs a new password PW i ′ , and SC computes

Smart Card Logout
Step 1: U i inserts his smart card SC and inputs ID i , PW i as well as BIO i . Further, SC computes Step 2; otherwise, it returns a logon failure message and terminates this session.
Step 2: Step 3: after the reception of M 0 , HGWN records the timestamp T 2 . If |T 2 − T 1 | ≤ ΔTis true, then M 0 is fresh. en, HGWN computes x i � h(TID i � � � �x hg )⊕R h and K i ′ � R 0 ⊕(x i � � � �T 1 )and continues to check whether If the equation holds, it runs the next step; otherwise, it aborts the session.
Step 4: HGWN deletes all local records ID i , K i , honey list}of U i .

Security Analysis
is section provides a rigorous security analysis for the proposed authentication scheme. On the basis of 12-Criteria, informal analysis first discusses how the proposed scheme resists against some well-known attacks. Second, the well-popular BAN logic is utilized to validate the correctness of the proposed scheme as well as the feasibility for authentication and key negotiation. Finally, the BPR model-based formal security proof demonstrates the security of the proposed scheme well.

Informal Analysis
Resistance to Insider Attack. In multifactor authentication schemes, the user's password, as a second factor, is of vital for the server/gateway to authenticate the user. e server/gateway in its usual sense is worth   [24] passwords satisfying the equation, the attempts of which are enormous, thus the offline password guessing attack bounds to fail. Furthermore, honey listrecords the number of user logon failure when HGWN verifies the identity of U i , which makes it extremely unlikely that Acan guess the right password through online password guessing within finite attempts. Clearly, the proposed scheme can resist diverse password guessing attacks.
Resistance to Replay Attack. It is known that Ahas the ability to eavesdrop and intercept messages over the public channel. So, Amay retransmit the eavesdropped or intercepted messages in a new round of the protocol implementation, to make the other party believe that "he" is legitimate to communicate with him. In the proposed protocol, however, the timestamp is employed to demonstrate the freshness of each message, so as to filter out old messages intercepted by A. For an instance, However, A can only change the timestamp in the message but not that in D 3 , thus the launched replay attack bounds to fail. is instance illustrates that the proposed scheme can withstand replay attack.
User Anonymity. In terms of user anonymity, it is required that A cannot find out the true identities of users or trace their communication trajectories. In this scheme, each user U i is assigned a pseudonym TID i , and after a round of key negotiation, his pseudonym will be updated with a new pseudonym TID i ′ . Moreover, the calculation of TID i ′ depends on U i 's private key x i and identity ID i , neither of which is exposed to the open channel. erefore, A cannot trace the communication trajectory of the user via the pseudonym. As analysed above, user anonymity is effective.
Forward Secrecy. According to the proposed protocol, U i 's and S j 's private keys are both calculated by a random number and the gateway node's long-term key. It helps that even if the long-term key of the gateway node is leaked for some reason, A cannot figure out U i 's or S j 's private key due to no idea of the random number. As the session key SK � SK u � SK s � SK hg � h(r u � � � �r hg ‖r s � � � �ID hg )depends on r u , r hg , as well as r s , three of which are severally masked by private keys of three parties, A cannot compute the right SK at all. Consequently, the presented scheme supports forward secrecy. Effective Smart Card Logout. For those smart cards not used any more, improper handling may pose a huge safety hazard. On the basis of the smart card logout method described in this protocol, U i must enter his right ID i , PW i , and BIO i simultaneously while cancelling his SC, so as to prevent A from launching malicious cancellation after the smart card is lost. In addition, A cannot achieve password guessing attack and obtain three authentication factors at the same time, so there is no way for A to masquerade as a legitimate user to cancel the smart card. Hence, the smart card logout method presented in this protocol is effective and secure.

Formal Analysis Based on BAN Logic.
In the light of BAN logic, a detailed analysis in this section will illustrate that the interacting parties (U i , HGWN, and S j ) can achieve mutual authentication and negotiate a common session key properly and securely. e analytic procedures for two cases in the proposed scheme are described as follows.
So, G5 has been also gained. From M 4 and R6, we can gain S21: . From S22, A 1 , R2, and R4,    Consequently, all security goals are amply demonstrated, both in Case 1 and in Case 2. In the meantime, it also confirms that the communication participants (U i , HGWN/ FGWN, and S j ), can authenticate mutually and negotiate a common key successfully.

Formal Analysis Based on BPR Model
Proof. Five games G i (i � 0, 1, 2, 3, and 4)are considered to demonstrate eorem 1, and simulation process of each game is analysed as below, wherein S i indicates an event that A outputs the right random bit b in G i , where i � 0, 1, 2, 3, and 4.
G 2 : here, A can make Send(Π * I , m)queries and Hqueries to convince the true communicator of forged messages. Only when A happens to find some collisions and succeeds in constructing credible messages, the simulation terminates. In G 2 , two kinds of collisions may be contained: output collisions of hash functions and collisions of random numbers selected in P. According to Birthday Paradox [30], the probabilities of their occurrence are (q 2 h /2 l+1 ) and ((q s + q e ) 2 /2(p − 1)), respectively. erefore, we obtain . (11) G 3 : this game differs from the above games in the case that when A can guess the correct authentication factors D 3 , D 6 , D 8 , and D 13 without H queries, the simulation terminates. It is indistinguishable from the previous games except that some instance refuses the right authentication. us, we have G 4 : in this game, A has abilities to reach more information through Corrupt(Π i U , a) query. (i) A queries Corrupt(Π i U , 1), which means he has got the user's password and parameters stored in SC.
en, in q s Send(Π * I , m) queries, A succeeds in guessing α i with the length l α , the possibility of which is (q s /2 l α ).
(ii) A queries Corrupt(Π i U , 2), that is, A has accessed the user's biometric factors and parameters stored in SC. en, in q s Send(Π * I , m)queries, A succeeds in guessing the victim's password, the possibility of which is C ′ q s′ s . (iii) A queries Corrupt(Π i U , 3); similarly, A has the user's password and biometric factors. en, the possibility of A guessing the right x i is (q s /2 l ). G 4 and G 3 are indistinguishable unless the above attack is successful. So, we have When A has no efficient input to make queries to H, there is no advantage to distinguish the real SK from a random number with the same size through Test(Π * I ). erefore, From (2)- (7), we can draw conclusion (1) or (8); this is □

Performance Comparison
In this section, the proposed protocol is compared with several existing multifactor authentication protocols in terms of performance, involving security features, computation overhead, and storage costs. Specific comparison results and analysis are described as follows.

Security Features.
On the basis of the security 12-Criteria, Table 3 presents the comparison results of these diverse authentication protocols, i.e., Guo et al. [22], Wu et al. [20], Srinivas et al. [21], Amin [19], and our proposed protocol. Definitely, the proposed protocol can satisfy all 12 evaluation criteria whereas others can meet 8 pieces at most. In particular, the new protocol in this paper exclusively provides the repairability and forward security, as well as resistance against stolen smart card attack. e protocol presented by Guo et al. [22] has weaknesses in no repairability, improper treatment of biometric features, and offline password guessing attack; the protocol of Wu et al. [20] cannot resist insider attack, stolen smart card attack, and offline password guessing attack; the protocol proposed by Srinivas et al. [21] does not protect against insider attack and offline password guessing attack and ensure that the user will be not traced; Amin's protocol [19] does not provide resistance to insider attack and guarantee of untraceability of the user. Furthermore, none of these protocols, except the proposed one, implements forward secrecy.
It should be noted that, the 12 security evaluation criteria was proposed by Wang and Wang [24]: C1 for no password verifier-table; C2 for password-friendly; C3 for no password exposure; C4 for no smart card loss attack; C5 for resistance to known attacks; C6 for sound repairability; C7 for provision of key agreement; C8 for no clock synchronization; C9 for timely typo detection; C10 for mutual authentication; C11 for user anonymity; C12 for forward secrecy.

Computation Overhead.
In this section, we compare the computation overhead among the above relevant schemes. In reality, login and authentication are much more frequent than registration, thus the performance of authentication and keyagreement protocols depends primarily on the computational costs of login and authentication phases. As depicted in Table 4, the proposed scheme is more computationally expensive than other schemes at the user side. is happens unsurprisingly because that fuzzy extractor is employed in this paper to extract and verify the biometric features, which is more applicable for high security systems. As for the gateways and resource-constrained sensor nodes, the computational costs are nearly the same. At any side, the schemes proposed by Wu et al. [20] and Amin [19] have the least computational overhead as they trade low safety features for high efficiency. In summary, despite other schemes outperforming in computational complexity, the proposed scheme can protect against all security threats faced by other schemes, which is more feasible in the real world.

Storage Costs.
Comparison of storage costs among the proposed scheme and other relevant schemes is stated in this section, see Table 5and Figure 5. Primarily, it is recommended that 32 bits for the (pseudo-) identity, 160 bits for the hash output, 128 bits for the fuzzy extractor public data, and 128 bits for a random number, as well as 32 bits for a timestamp are agreed, and these parameters are denoted separately as L I D , L h , L fe , L r , and L T . As shown in Figure 5, storage overhead on the user and sensor nodes sides is nearly the same, but that on the gateway nodes is higher as in the proposed scheme; smart card logout is achieved with the assistance of honey_list saving in Security and Communication Networks gateway nodes' memories. However, in terms of storage capacity, gateway nodes are much better than smart cards and sensor nodes, thus the overhead is acceptable.

Conclusion
WSNs are becoming increasingly vital in IoT applications. Inevitably, multifactor and multigateway authentication protocols have become a focus. In this paper, through analysing weaknesses in the existing schemes, we introduced the widely accepted criteria for evaluating security protocols. In line with the criteria, we revisited Guo et al.'s scheme and found some security flaws, i.e., no repairability, improper treatment of biometric factors, offline password guessing, and no forward secrecy. en, we proposed a new three-factor authentication protocol for multiple gateways using fuzzy extractor and honey_list technique. Following that, we proved the correctness and security of the proposed scheme by BAN logic and BPR model. As a whole, our proposed scheme outperformed other relevant schemes for keeping efficient in performance, meanwhile satisfying the security criteria.

Data Availability
No data were used to support this study.

Conflicts of Interest
e authors declare that there are no conflicts of interest regarding the publication of this paper.