Comments on the security of the SPAPA strong password
authentication protocol

by Chris J. Mitchell and Siaw-Lynn Ng

Abstract:

The hash function based Strong Password Authentication Protocol
with User Anonymity (SPAPA) was designed to protect users against
monitoring by utilising temporary identities instead of true
identities.  In this letter we show that it is vulnerable to
several attacks, including two which allow an adversary to link
the activities of a user.