On the security of a two-factor authentication scheme