Showing papers on "Password published in 2018"

Design of Secure User Authenticated Key Management Protocol for Generic IoT Networks

Abstract: In recent years, the research in generic Internet of Things (IoT) attracts a lot of practical applications including smart home, smart city, smart grid, industrial Internet, connected healthcare, smart retail, smart supply chain and smart farming. The hierarchical IoT network (HIoTN) is a special kind of the generic IoT network, which is composed of the different nodes, such as the gateway node, cluster head nodes, and sensing nodes organized in a hierarchy. In HIoTN, there is a need, where a user can directly access the real-time data from the sensing nodes for a particular application in generic IoT networking environment. This paper emphasizes on the design of a new secure lightweight three-factor remote user authentication scheme for HIoTNs, called the user authenticated key management protocol (UAKMP). The three factors used in UAKMP are the user smart card, password, and personal biometrics. The security of the scheme is thoroughly analyzed under the formal security in the widely accepted real-or-random model, the informal security as well as the formal security verification using the widely accepted automated validation of Internet security protocols and applications tool. UAKMP offers several functionality features including offline sensing node registration, freely password and biometric update facility, user anonymity, and sensing node anonymity compared to other related existing schemes. In addition, UAKMP is also comparable in computation and communication costs as compared to other existing schemes.

Secure Biometric-Based Authentication Scheme Using Chebyshev Chaotic Map for Multi-Server Environment

Abstract: Multi-server environment is the most common scenario for a large number of enterprise class applications. In this environment, user registration at each server is not recommended. Using multi-server authentication architecture, user can manage authentication to various servers using single identity and password. We introduce a new authentication scheme for multi-server environments using Chebyshev chaotic map. In our scheme, we use the Chebyshev chaotic map and biometric verification along with password verification for authorization and access to various application servers. The proposed scheme is light-weight compared to other related schemes. We only use the Chebyshev chaotic map, cryptographic hash function and symmetric key encryption-decryption in the proposed scheme. Our scheme provides strong authentication, and also supports biometrics & password change phase by a legitimate user at any time locally, and dynamic server addition phase. We perform the formal security verification using the broadly-accepted Automated Validation of Internet Security Protocols and Applications (AVISPA) tool to show that the presented scheme is secure. In addition, we use the formal security analysis using the Burrows-Abadi-Needham (BAN) logic along with random oracle models and prove that our scheme is secure against different known attacks. High security and significantly low computation and communication costs make our scheme is very suitable for multi-server environments as compared to other existing related schemes.

Chaotic Map-Based Anonymous User Authentication Scheme With User Biometrics and Fuzzy Extractor for Crowdsourcing Internet of Things

Abstract: The recent proliferation of mobile devices, such as smartphones and wearable devices has given rise to crowdsourcing Internet of Things (IoT) applications. E-healthcare service is one of the important services for the crowdsourcing IoT applications that facilitates remote access or storage of medical server data to the authorized users (for example, doctors, patients, and nurses) via wireless communication. As wireless communication is susceptible to various kinds of threats and attacks, remote user authentication is highly essential for a hazard-free use of these services. In this paper, we aim to propose a new secure three-factor user remote user authentication protocol based on the extended chaotic maps. The three factors involved in the proposed scheme are: 1) smart card; 2) password; and 3) personal biometrics. As the proposed scheme avoids computationally expensive elliptic curve point multiplication or modular exponentiation operation, it is lightweight and efficient. The formal security verification using the widely-accepted verification tool, called the ProVerif 1.93, shows that the presented scheme is secure. In addition, we present the formal security analysis using the both widely accepted real-or-random model and Burrows–Abadi–Needham logic. With the combination of high security and appreciably low communication and computational overheads, our scheme is very much practical for battery limited devices for the healthcare applications as compared to other existing related schemes.

OPAQUE: An Asymmetric PAKE Protocol Secure Against Pre-computation Attacks

Abstract: Password-Authenticated Key Exchange (PAKE) protocols allow two parties that only share a password to establish a shared key in a way that is immune to offline attacks. Asymmetric PAKE (aPAKE) strengthens this notion for the more common client-server setting where the server stores a mapping of the password and security is required even upon server compromise, that is, the only allowed attack in this case is an (inevitable) offline exhaustive dictionary attack against individual user passwords. Unfortunately, most suggested aPAKE protocols (that dispense with the use of servers’ public keys) allow for pre-computation attacks that lead to the instantaneous compromise of user passwords upon server compromise, thus forgoing much of the intended aPAKE security. Indeed, these protocols use – in essential ways – deterministic password mappings or use random “salt” transmitted in the clear from servers to users, and thus are vulnerable to pre-computation attacks.

Molecules for security measures: from keypad locks to advanced communication protocols

Abstract: The idea of using molecules in the context of information security has sparked the interest of researchers from many scientific disciplines. This is clearly manifested in the diversity of the molecular platforms and the analytical techniques used for this purpose, some of which we highlight in this Tutorial Review. Moreover, those molecular systems can be used to emulate a broad spectrum of security measures. For a long time, molecular keypad locks enjoyed a clear preference and the review starts off with a description of how these devices developed. In the last few years, however, the field has evolved into something larger. Examples include more complex authentication protocols (multi-factor authentication and one-time passwords), the recognition of erroneous procedures in data transmission (parity devices), as well as steganographic and cryptographic protection.

Finger vein secure biometric template generation based on deep learning

Abstract: Leakage of unprotected biometric authentication data has become a high-risk threat for many applications. Lots of researchers are investigating and designing novel authentication schemes to prevent such attacks. However, the biggest challenge is how to protect biometric data while keeping the practical performance of identity verification systems. For the sake of tackling this problem, this paper presents a novel finger vein recognition algorithm by using secure biometric template scheme based on deep learning and random projections, named FVR-DLRP. FVR-DLRP preserves the core biometric information even with the user’s password cracked, whereas the original biometric information is still safe. The results of experiment show that the algorithm FVR-DLRP can maintain the accuracy of biometric identification while enhancing the uncertainty of the transformation, which provides better protection for biometric authentication.

A first look at the usability of bitcoin key management

Abstract: Bitcoin users are directly or indirectly forced to deal with public key cryptography, which has a number of security and usability challenges that differ from the password-based authentication underlying most online banking services. Users must ensure that keys are simultaneously accessible, resistant to digital theft and resilient to loss. In this paper, we contribute an evaluation framework for comparing Bitcoin key management approaches, and conduct a broad usability evaluation of six representative Bitcoin clients. We find that Bitcoin shares many of the fundamental challenges of key management known from other domains, but that Bitcoin may present a unique opportunity to rethink key management for end users.

Privacy in the Internet of Things for Smart Healthcare

Abstract: With the rapid development of wearable biosensors and wireless communication technologies, various smart healthcare systems are proposed to monitor the health of patients in real time. However, many security problems exist in these systems. For example, a password guessing attack can compromise IoT devices, leading to invasion of health data privacy. After giving an overview of security threats of healthcare IoT, this article studies security vulnerabilities of password building and presents a password strength evaluation method that takes into account users' personal information.

An exploratory study of cyber hygiene behaviors and knowledge

Abstract: End users’ cyber hygiene often plays a large role in cybersecurity breaches. Therefore, we need a deeper understanding of the user differences that are associated with either good or bad hygiene and an updated perspective on what users do to promote good hygiene (e.g., employ firewall and anti-virus applications). Those individuals with good cyber hygiene follow best practices for security and protect their personal information. This exploratory study of cyber hygiene knowledge and behavior offers information that designers and researchers can employ to improve users’ hygiene practices. We surveyed 268 participants about their knowledge of concepts, their knowledge of threats, and their behaviors related to cyber hygiene. Further, we asked participants about their previous training and experiences. Notably, the participants represent a large cross section from age 18 to 55+. We addressed inconsistencies in the literature, we provide up-to-date information on behaviors and on users’ knowledge about password usage and phishing, and we explored the impact of age, gender, victim history, perceived expertise, and training on cyber hygiene.

Authentication schemes and methods

Abstract: ContextThere is a great variety of techniques for performing authentication, like the use of text passwords or smart cards. Some techniques combine others into one, which is known as multi-factor authentication. There is an interest in knowing existing authentication techniques, including those aimed at multi-factor authentication, and the frameworks that can be found in literature that are used to compare and select these techniques according to different criteria. ObjectiveThis article aims to gather the existing knowledge on authentication techniques and ways to discern the most effective ones for different contexts. MethodA systematic literature review is performed in order to gather existing authentication techniques proposed in literature and ways to compare and select them in different contexts. A total of 515 single-factor and 442 multi-factor authentication techniques have been found. Furthermore, 17 articles regarding comparison and selection criteria for authentication techniques and 8 frameworks that help in such a task are discussed. ResultsA great variety of single-factor techniques has been found and smart card-based authentication was shown to be the most researched technique. Similarly, multi-factor techniques combine the different single-factor techniques found and the combination of text-passwords and smart cards is the most researched technique. Usability, security and costs are the most used criteria for comparing and selecting authentication schemes, whereas the context is given an important remark as well. No framework among the ones found analyzed in detail both single-factor and multi-factor authentication techniques for the decision-making process. ConclusionThe review shows that a vast research has been done for authentication techniques, although its use in some contexts has not been researched as much. The lack of works regarding the comparison and selection of authentication techniques is observed.

Authentication of IoT Device and IoT Server Using Secure Vaults

Abstract: Internet of Things is a topic of much interest and, in last few years, security of the IoT systems is a field of tremendous research activities. Mutual authentication between IoT devices and IoT servers is an important part of secure IoT systems. Single password-based authentication mechanisms, which are widely used, are vulnerable to side-channel and dictionary attacks. In this paper, we present a multi-key (or multi-password) based mutual authentication mechanism. In our approach, the shared secret between the IoT server and the IoT device is called secure vault, which is a collection of equal sized keys. Initial contents of the secure vault are shared between the server and the IoT device and contents of the secure vault change after every successful communication session. We have implemented this mechanism on an Arduino device to prove our algorithm is feasible on IoT devices with memory and computational power constraints.

Efficient Anonymous Password-Authenticated Key Exchange Protocol to Read Isolated Smart Meters by Utilization of Extended Chebyshev Chaotic Maps

Abstract: In smart grid, key exchange protocols play a vital role in providing secure channels to read consumption reports from the smart meters. Thus far, several key exchange schemes have been proposed for the networked smart meters. However, for the first time, quite recently, Sha et al . have presented an interesting two-phase authentication and key agreement scheme that exclusively aims at the isolated smart meters. In their scheme, they have properly addressed the computationally constrained smart meters by offering a lightweight key exchange protocol. Nevertheless, after meticulous observation, we found that their proposed scheme cannot resist the desynchronization attack and cannot provide the perfect forward secrecy. Moreover, there are some other weaknesses in their scheme. As a result, to tackle the existing security challenges, in this paper, by utilization of the extended Chebyshev chaotic maps, we propose an efficient anonymous password-authenticated key exchange protocol that not only is free from the limitations of Sha et al .'s scheme, but also provides the anonymity. The security analysis in the random oracle model and using the widely accepted ProVerif tool besides the computational and communication costs comparison demonstrate that the proposed scheme has reached a proper level of efficiency without sacrificing the desired security properties.

Eliminating timing side-channel leaks using program repair

Abstract: We propose a method, based on program analysis and transformation, for eliminating timing side channels in software code that implements security-critical applications. Our method takes as input the original program together with a list of secret variables (e.g., cryptographic keys, security tokens, or passwords) and returns the transformed program as output. The transformed program is guaranteed to be functionally equivalent to the original program and free of both instruction- and cache-timing side channels. Specifically, we ensure that the number of CPU cycles taken to execute any path is independent of the secret data, and the cache behavior of memory accesses, in terms of hits and misses, is independent of the secret data. We have implemented our method in LLVM and validated its effectiveness on a large set of applications, which are cryptographic libraries with 19,708 lines of C/C++ code in total. Our experiments show the method is both scalable for real applications and effective in eliminating timing side channels.

A Shoulder Surfing Resistant Graphical Authentication System

Abstract: Authentication based on passwords is used largely in applications for computer security and privacy. However, human actions such as choosing bad passwords and inputting passwords in an insecure way are regarded as “the weakest link” in the authentication chain. Rather than arbitrary alphanumeric strings, users tend to choose passwords either short or meaningful for easy memorization. With web applications and mobile apps piling up, people can access these applications anytime and anywhere with various devices. This evolution brings great convenience but also increases the probability of exposing passwords to shoulder surfing attacks. Attackers can observe directly or use external recording devices to collect users’ credentials. To overcome this problem, we proposed a novel authentication system PassMatrix, based on graphical passwords to resist shoulder surfing attacks. With a one-time valid login indicator and circulative horizontal and vertical bars covering the entire scope of pass-images, PassMatrix offers no hint for attackers to figure out or narrow down the password even they conduct multiple camera-based attacks. We also implemented a PassMatrix prototype on Android and carried out real user experiments to evaluate its memorability and usability. From the experimental result, the proposed system achieves better resistance to shoulder surfing attacks while maintaining usability.

Multi-factor user authentication scheme for IoT-based healthcare services

Abstract: Due to the tremendous rise of the cloud computing and the Internet of Things (IoT) paradigms, the possibility of remote monitoring of the patients in real time by a remote Medical Professional (MP) has become feasible and patients can enjoy healthcare services at home. To achieve this, the patient’s medical data will need to be stored on the Cloud server. However, patient’s medical data stored on server are highly sensitive and, hence, the Cloud-IoT network becomes open to many attacks. For that reason, it must ensure that patients’ medical data do not get exposed to malicious users. This makes strong user authentication a prerequisite for the successful global deployment of centralized healthcare systems. In this paper, we present an efficient, strong authentication protocol, for the MP to access patient data for healthcare applications based on Cloud-IoT network. The proposed protocol includes: (1) three-factor MP authentication (i.e. password, biometrics and smartcard); (2) mutual authentication between MP and the cloud server; (3) establishes a secure shared session key; and (4) maintains key freshness. Furthermore, the proposed protocol uses only two message exchanges between MP and cloud server, and attains efficiency (i.e. low computation and communication costs). Through the formal analysis using AVISPA web tool, security analysis and performance analysis, we conclude that the proposed protocol is more secure against potential attacks and obtains a trade-off between security and performance cost for healthcare application using Cloud-IoT networks.

On the Accuracy of Password Strength Meters

Abstract: Password strength meters are an important tool to help users choose secure passwords. Strength meters can only then provide reasonable guidance when they are accurate, i.e., their score correctly reflect password strength. A strength meter with low accuracy may do more harm than good and guide the user to choose passwords with a high score but low actual security. While a substantial number of different strength meters is proposed in the literature and deployed in practice, we are lacking a clear picture of which strength meters provide high accuracy, and thus are most helpful for guiding users. Furthermore, we lack a clear understanding of how to compare accuracies of strength meters. In this work, (i) we propose a set of properties that a strength meter needs to fulfill to be considered to have high accuracy, (ii) we use these properties to select a suitable measure that can determine the accuracy of strength meters, and (iii) we use the selected measure to compare a wide range of strength meters proposed in the academic literature, provided by password managers, operating systems, and those used on websites. We expect our work to be helpful in the selection of good password strength meters by service operators, and to aid the further development of improved strength meters.

A Tale of Two Studies: The Best and Worst of YubiKey Usability

Abstract: Two-factor authentication (2FA) significantly improves the security of password-based authentication. Recently, there has been increased interest in Universal 2nd Factor (U2F) security keys—small hardware devices that require users to press a button on the security key to authenticate. To examine the usability of security keys in non-enterprise usage, we conducted two user studies of the YubiKey, a popular line of U2F security keys. The first study tasked 31 participants with configuring a Windows, Google, and Facebook account to authenticate using a YubiKey. This study revealed problems with setup instructions and workflow including users locking themselves out of their operating system or thinking they had successfully enabled 2FA when they had not. In contrast, the second study had 25 participants use a YubiKey in their daily lives over a period of four weeks, revealing that participants generally enjoyed the experience. Conducting both a laboratory and longitudinal study yielded insights into the usability of security keys that would not have been evident from either study in isolation. Based on our analysis, we recommend standardizing the setup process, enabling verification of success, allowing shared accounts, integrating with operating systems, and preventing lockouts.

PHISH-SAFE: URL Features-Based Phishing Detection System Using Machine Learning

Abstract: Today, phishing is one of the most serious cyber-security threat in which attackers steal sensitive information such as personal identification number (PIN), credit card details, login, password, etc., from Internet users. In this paper, we proposed a machine learning based anti-phishing system (i.e., named as PHISH-SAFE) based on Uniform Resource Locator (URL) features. To evaluate the performance of our proposed system, we have taken 14 features from URL to detect a website as a phishing or non-phishing. The proposed system is trained using more than 33,000 phishing and legitimate URLs with SVM and Naive Bayes classifiers. Our experiment results show more than 90% accuracy in detecting phishing websites using SVM classifier.

Secure User Authentication Using Honeywords

Abstract: The purpose of the password is to protect the user account from unauthorized usage by the hacker. But in the current situation the field of security also realizes lot of threat to the password even in case if it is hashed. With the rise of hacking technology even the hashed password doesn’t provide the required security and also provides the hacker to misuse or exploit the user account without being noticed. The most vulnerable part in this is the misuse of account can be realized only after the user logs and sees the changes in their account usage. And so, the system doesn’t yet been improved in safeguarding or detecting the attacks against the database of password which are hashed. Ari Juels and et al. in 2013 [10] discovered the method using honeywords for detecting the password cracking. Honey words are the imitated passwords which are connected with the account of each user. We intended to produce a safer system by creating an authentication using the honey words in the password database. The newly created database contains a combination of both the imitated ones and the original passwords in order to detect whether the attack is happened or not. And hence when the hacker has the password database, he might get confused with the real and fake passwords. Here we make the hacker to fall into our trap by confusing him. Once he tries to enter a false password the administrator will get a notification and the hacker gets identified.

On the Economics of Offline Password Cracking

Abstract: We develop an economic model of an offline password cracker which allows us to make quantitative predictions about the fraction of accounts that a rational password attacker would crack in the event of an authentication server breach. We apply our economic model to analyze recent massive password breaches at Yahoo!, Dropbox, LastPass and AshleyMadison. All four organizations were using key-stretching to protect user passwords. In fact, LastPass' use of PBKDF2-SHA256 with 10^5 hash iterations exceeds 2017 NIST minimum recommendation by an order of magnitude. Nevertheless, our analysis paints a bleak picture: the adopted key-stretching levels provide insufficient protection for user passwords. In particular, we present strong evidence that most user passwords follow a Zipf's law distribution, and characterize the behavior of a rational attacker when user passwords are selected from a Zipf's law distribution. We show that there is a finite threshold which depends on the Zipf's law parameters that characterizes the behavior of a rational attacker — if the value of a cracked password (normalized by the cost of computing the password hash function) exceeds this threshold then the adversary's optimal strategy is always to continue attacking until each user password has been cracked. In all cases (Yahoo!, Dropbox, LastPass and AshleyMadison) we find that the value of a cracked password almost certainly exceeds this threshold meaning that a rational attacker would crack all passwords that are selected from the Zipf's law distribution (i.e., most user passwords). This prediction holds even if we incorporate an aggressive model of diminishing returns for the attacker (e.g., the total value of 500 million cracked passwords is less than 100 times the total value of 5 million passwords). On a positive note our analysis demonstrates that memory hard functions (MHFs) such as SCRYPT or Argon2i can significantly reduce the damage of an offline attack. In particular, we find that because MHFs substantially increase guessing costs a rational attacker will give up well before he cracks most user passwords and this prediction holds even if the attacker does not encounter diminishing returns for additional cracked passwords. Based on our analysis we advocate that password hashing standards should be updated to require the use of memory hard functions for password hashing and disallow the use of non-memory hard functions such as BCRYPT or PBKDF2.

Brute-force and dictionary attack on hashed real-world passwords

Abstract: An information system is only as secure as its weakest point. In many information systems that remains to be the human factor, despite continuous attempts to educate the users about the importance of password security and enforcing password creation policies on them. Furthermore, not only do the average users' password creation and management habits remain more or less the same, but the password cracking tools, and more importantly, the computer hardware, keep improving as well. In this study, we performed a broad targeted attack combining several well-established cracking techniques, such as brute-force, dictionary, and hybrid attacks, on the passwords used by the students of a Slovenian university to access the online grading system. Our goal was to demonstrate how easy it is to crack most of the user-created passwords using simple and predictable patterns. To identify differences between them, we performed an analysis of the cracked and uncracked passwords and measured their strength. The results have shown that even a single low to mid-range modern GPU can crack over 95% of passwords in just few days, while a more dedicated system can crack all but the strongest 0.5% of them.

Influences of Human Cognition and Visual Behavior on Password Strength during Picture Password Composition

Abstract: Visual attention, search, processing and comprehension are important cognitive tasks during a graphical password composition activity. Aiming to shed light on whether individual differences on visual behavior affect the strength of the created passwords, we conducted an eye-tracking study (N=36), and adopted an accredited cognitive style theory to interpret the results. The analysis revealed that users with different cognitive styles followed different patterns of visual behavior which affected the strength of the created passwords. Motivated, by the results of the first study, we introduced adaptive characteristics to the user authentication mechanism, aiming to assist specific cognitive style user groups to create more secure passwords, and conducted a second study with a new sample (N=40) to test the adaptive characteristics. Results strengthen our assumptions that adaptive mechanisms based on users' differences in cognitive and visual behavior uncover a new perspective for improving the password's strength within graphical user authentication realms.

Design of an Anonymity-Preserving Group Formation Based Authentication Protocol in Global Mobility Networks

Abstract: Remote user authentication without compromising user anonymity is an emerging area in the last few years. In this paper, we propose a new anonymity preserving mobile user authentication scheme for the global mobility networks (GLOMONETs). We also propose a new anonymity preserving group formation phase for roaming services in GLOMONETs that meets the extended anonymity requirement without compromising any standard security requirements. We provide the security analysis using the widely-accepted Burrows-Abadi-Needham logic and informal analysis for the proposed scheme to show that it is secure against possible well-known attacks, such as replay, man-in-the-middle, impersonation, privileged-insider, stolen smart card, ephemeral secret leakage, and password guessing attacks. In addition, the formal security verification with the help of the broadly accepted automated validation of internet security protocols and applications software simulation tool is tested on the proposed scheme and the simulation results confirm that the proposed scheme is safe. Moreover, the comparative study of the proposed scheme with other relevant schemes reveals that it performs well as compared to other techniques.

Keystroke dynamics-based user authentication using freely typed text based on user-adaptive feature extraction and novelty detection

Abstract: Keystroke dynamics has been used to strengthen password-based user authentication systems by considering the typing characteristics of legitimate users. The main problem with login-based authentication systems is that they cannot authenticate users after login access is granted. To ensure continuous user authentication, keystroke dynamics collected from freely typed text during the login period has been utilized; however, the authentication performance was unsatisfactory. To enhance the performance of user authentication based on freely typed keystrokes, we propose a user-adaptive feature extraction method that captures individual users’ distinctive typing behaviors embedded in relative typing speeds for different digraphs. Based on experimental results obtained from 150 participants with more than 13,000 keystrokes per each user in two languages (Korean and English), the proposed method achieved the best equal error rate (0.44). Furthermore, the authentication performance was enhanced by 45.3% for Korean and 39.0% for English compared with the benchmark fixed feature extraction method.

Client-Controlled HECC-as-a-Service (HaaS)

Abstract: Cloud computing is making big revolution in information technology field since it is advantageous than traditional systems. Outsourcing and remote data storage may stand as obstacle for security of data in cloud. Data security model (DSM) with safe data retrieval framework has been proposed which employs hyperelliptic curve cryptography for data encryption in order to avoid huge computation costs for keys involved. First approach is client-side encryption of data and then storing encrypted data in cloud. Registered users access data with valid username and password provided by client. Initially data categorization is performed with sensitivity levels being provided by clients, based on which data is placed in security sections. Various strategies utilized include 80-bit HECC encryption, SHA-3 (Secure Hash Algorithm-3) for integrity verification, data retrieval by using encrypted index and dividing data into three sections for storing in cloud. An algorithm to search files in server with multiple keywords has been proposed and implemented. We for first time implemented HECC and HECC with parallel executions in cloud with Openstack along with HECC-as-a-Service (HaaS). Detailed security and result analysis of model is provided along with comparison of scheme with existing methods which shows that model is much faster than any other model employing HECC in cloud.

Two-Factor Authenticated Key Agreement Supporting Unlinkability in 5G-Integrated Wireless Sensor Networks

Abstract: The integration of 5G networks and wireless sensor networks (WSNs) is critical in the new era of the Internet of Things (IoT), for a wide range of applications. However, despite the potential advantages of this integration, there are concerns about unforeseen security threats that may impact our daily lives. Authenticated key agreement is an essential security feature for secure communication between users and IoT devices, and for protecting IoT applications from security threats. An IoT notion-based authentication and key agreement scheme was recently proposed for heterogeneous WSNs, claiming to provide user anonymity and mutual authentication, as well as the ability to withstand several types of attacks. In this paper, we examine several security weaknesses of the aforementioned scheme. Next, we design a network architecture suitable for the integration of 5G networks and WSNs. Based on the network architecture, we propose a two-factor authentication and key agreement scheme in 5G-integrated WSNs for the IoT that can resist various attacks, including those identified earlier, and that can preserve security requirements, including unlinkability. Finally, we evaluate the security and performance of the proposed scheme and compare our scheme with other related schemes.