Abstract: A password-based authentication protocol is a security technology that ensures confidentiality and integrity for users who use services in a public network. Recently, Sahlani and Lu proposed a lightweight authenticated key agreement scheme using smart card and insisted that their scheme can withstand various types of attacks and satisfy diverse security requirements. However, after careful analysis, we discovered that Sahlani and Lu’s authentication scheme includes several security vulnerabilities. First, the registration phase of their scheme is inefficient, since, users are using unnecessary verification process. Second, their scheme employs an improper identification process for user biometrics. Third, the scheme cannot guarantee to protect from off-line identity guessing attack and there is no session key verification process in the authentication process. In this study, we explain in detail how the aforementioned vulnerabilities occur and propose an upgraded version. The analysis shows that our proposed scheme is more secure and efficient than other related authentication schemes.