handover authentication protocol enables mobile nodes (e.g., laptop PCs, smartphones, and vehicles) to seamlessly and securely roam over multiple access points [1]. Regardless of the mobile networking technology involved, as shown in Fig. 1, a typical handover authentication scenario involves three parties: mobile nodes (MNs), access points (APs), and the authentication server (AS). Normally, there is an agreement between APs and the AS to support roaming services. An MN first needs to register with the AS, and then can connect to the nearest AP to access its subscribed services while it is moving. When the MN moves from the current AP (e.g., AP1) into a new AP (e.g., AP2), handover authentication should be performed at AP2. Through handover authentication, AP2 authenticates the MN to reject any access request by an unauthorized user. Also, a session key should be established between the MN and AP2 to protect the data subsequently exchanged over the connection.There are two major challenging issues in the design of handover authentication protocols. The first one is efficiency. On one hand, MNs generally have limited processing capability and power. On the other hand, in order to avoid connection disruption due to handover, a tight time limit is usually imposed on the handover process. For example, the IEEE suggests that the handover latency should be kept below 50 ms, of which the authentication process should not take more than 20 ms. Therefore, a handover authentication process is required to be computationally efficient. The second issue is security and privacy. While an authentication scheme aims to check the legitimacy of incoming MNs, it should also be designed to stand against security attacks [2] such as denialof-service (DoS) attacks. For example, if an AP needs to carry out expensive cryptographic operations during the authentication process, adversaries can exhaust its resources by sending it a large number of bogus access requests. Moreover, privacy of MNs should be preserved. Otherwise, their private information disclosed in the handoff process may be exploited by APs.In the literature, a number of handover authentication protocols have been proposed for mobile networks [3][4][5][6][7][8][9][10][11]. However, they do not adequately address the above issues. Recently, a new handover authentication protocol called PairHand [12] has been proposed. It outperforms those protocols in terms of efficiency, security, and privacy. One of the distinguishing features of PairHand is that it only requires two handshakes between an MN and an AP during authentication, and does not involve any certificate as in a traditional public key cryptosystem.In this article, we first discuss the security and efficiency requirements of handover authentication protocols. Then we review the earlier proposed protocols, and discuss how their security weaknesses and efficiency problems are overcome by PairHand. Subsequently, a more novel handover authentication protocol, HashHand, is designed. While preserving the merits of PairHan...