With the ever increasing adoption rate of Internet-enabled devices (also known as Internet of Things (IoT) devices) in applications such as smart home, smart city, smart grid and healthcare applications, we need to ensure the security and privacy of data and communications among these IoT devices and the underlying infrastructure. For example, an adversary can easily tamper with the information transmitted over a public channel, in the sense of modification, deletion and fabrication of data-in-transit and data-in-storage. Time-critical IoT applications such as healthcare may demand the capability to support external parties (users) to securely access IoT data and services in real-time. This necessitates the design of a secure user authentication mechanism, which should also allow the user to achieve security and functionality features such as anonymity and un-traceability. In this paper, we propose a new lightweight anonymous user
authenticated session key agreement scheme in the IoT environment. The proposed scheme uses three-factor authentication, namely; a user’s smart card, password and personal biometric information. The proposed scheme does not require the storing of user specific information at the gateway node. We then demonstrate the proposed scheme’s security using the broadly accepted Real-Or-Random (ROR) model, Burrows-Abadi-Needham (BAN) logic, and Automated Validation of Internet Security Protocols and Applications (AVISPA) software simulation tool, as well as presenting an informal security analysis to demonstrate its other features. In addition, through our simulations, we demonstrate that the proposed scheme outperforms existing related user authentication schemes, in terms of its security and functionality features, and computation costs.