Radio-frequency identification (RFID) is an up-and-coming technology. The major limitations of RFID technology are security and privacy concerns. Many methods, including encryption, authentication and hardware techniques, have been presented to overcome security and privacy problems. This paper focuses on authentication protocols. The combination of RFID technology being popular but unsecure has led to an influx of mutual authentication protocols. Authentication protocols are classified as being fully fledged, simple, lightweight or ultra-lightweight. Since 2002, much important research and many protocols have been presented, with some of the protocols requiring further development. The present paper reviews in detail recently proposed RFID mutual authentication protocols, according to the classes of the authentication protocols. The protocols were compared mainly in terms of security, the technique that they are based on, protocols that the presented protocol has been compared with, and finally, the method of verifying the protocol. Important points of the comparisons were collected in two tables.
Radio-frequency identification (RFID) is being developed to distinguish the correct object with a small tag. This technology has been considered as one of the most substantial technologies of these decades . RFID systems consist of a tag, a tag reader and a back-end database server. The reader reads the RFID tag’s identifier and sends the queried identity to the back end server. The information obtained from the tag is mostly an index to a back end database.
The tags are classified into three types according to how they are powered: active, semi-active and passive tags. Active RFID tags need internal batteries to power the electronic components and to create a reply signal to the reader. Semi-active tags or in other words semi-passive use batteries only for powering microchip’s circuit and they harvest energy to create a reply signal to the reader by using reader’s radio signal. Passive tags harvest their energy from the reader. RFID tags are also grouped into three basic frequency ranges: low frequency (125–134 kHz), high frequency (13.56 MHz) and ultrahigh frequency (860–960 MHz) ranges . Passive (lowcost) RFID tags that operate in ultra-high-frequency bands have allowed innovation in several fields of daily application, such as building access control, supply chain management and goods tracking. The Electronic Product Code (EPC) Class1 (C1) Generation2 (Gen2) standard is an example of passive RFID technology .
Some experts believe that optical barcodes will be replaced with low-cost RFID tags attached to consumer items . However, owing to the wireless nature of communication between the tag and reader, this technology has major security and privacy threats. Mutual authentication protocols are generally used to overcome security attacks between the reader and tags. Since 2002, much research has been conducted and numerous protocols are proposed but some of these still need to be developed further.
In the proceeding sections, Sect. 2 discusses and explains authentication protocols and their goals. Section 3 examines and compares protocols according to their class. Section 4 evaluates the comparison. Section 5 presents conclusions drawn from the review of authentication protocols.
2 Authentication protocols
Lopez et al.  presented many solutions to overcome the security issues and risks associated with the RFID systems. In this study, we aimed to deepen on authentication protocols. Authentication is the first step in defending against wireless attacks on RFID systems. Once the server validates the identity of the RFID tag, it begins trusting the tag. After authentication, the reader can access the contents of the authenticated tags.
2.1 Classes of authentication protocols
Chein  stated that authentication protocols are divided into four classes with accordance to the tag’s computational cost and supported operations.
• Fully fledged protocols: Protocols that support symmetric and asymmetric encryption, and a one-way function. Examples are in [7, 8].
• Simple protocols: Protocols that support hash function and random number generator (RNG). Examples of this class are given in [9, 10].
• Lightweight protocols: Protocols that support cyclic redundancy check (CRC) and RNG. Examples are given in [11–14].
• Ultra-lightweight protocols: Protocols that are tailored specially to extremely constrained devices. These protocols involve only simple bitwise operations (like AND, OR, XOR) on tags. Examples are given in [15, 16].
2.2 Goals of authentication protocols
Considering the variety of potential threats, an authentication protocol, whatever the class, should address all or most of the following security threats and services.