In recent years, due to the wide applications of client–server architecture, the problem of only legal users have access to use the various remote services has attracted much attention. Consequently, many chaotic maps‐based authenticated key agreement schemes using static ID have been widely used. However, static ID authentication schemes cannot provide user anonymity. It is a better choice to utilize dynamic ID authentication scheme. Recently, Lin proposed a chaotic maps‐based mobile dynamic ID authenticated key agreement scheme and proved that it was secure against existential active attacks. Unfortunately, in this paper, we show that Lin's scheme cannot resist dictionary attack, user spoofing attack, and denial of service attack. Moreover, the paper first proposed an attack method called exclusive‐or operation with pad operation leaking attack, which can lead to the worst case scenario: an adversary can get the session key without being detected. In addition, in the password‐change phase of Lin's scheme, there is no authenticated process for the user. In other words, even if anyone else inputs the two uncorrelated passwords, the mobile device will continue to update the password, which leads to the consequence that the legal user cannot log in forever. Finally, we proposed an improved protocol based on chaotic maps with provable security under the random oracle model. Compared with previous related works, the improved protocol not only can withstand existential active attacks, but also has better computational efficiency. Copyright © 2015 John Wiley & Sons, Ltd.