Mobile communication is now an essential part of our day-to-day life due to expeditious progress in the industry of information technology. Prior to session key exchange with the corresponding server, a mobile user needs to be authenticated by that server in order to avail its services. Assorted authentication protocols are introduced so far, for authenticating the legitimate mobile users. Very recently, Lu et al introduced a two-factor scheme for key exchange in the mobile client-server environment. Lu et al declared that their introduced scheme is anonymous and robust for preventing potential attacks. However, we determined that the scheme of Lu et al is susceptible against server key reveal and smart card stolen attack. Moreover, it is also identified that their scheme is prone to traceability and anonymity violation attacks. Therefore, we proposed an improvement in order to increase the security and effectiveness. The immunity of the proposed protocol and correctness is tested, analyzed, and verified through formal proof of automated tool ProVerif and Burrows-Abadi-Needham logic, respectively. Moreover, the security and performance comparison also proved that the improved scheme is robust, efficient, and lightweight. KEYWORDS anonymity, authentication protocol, cryptanalysis, impersonation attack, key exchange, smart card stolen attack, traceability Int J Commun Syst. 2018;31:e3814.wileyonlinelibrary.com/journal/dac