Abstract: Mobile phones and Internet applications are widely used nowadays,which enables users to authenticate with the server with the help of mobile phones. However,existing schemes need to store the user’s secret or ciphertext on the mobile phone. Once the mobile phone is lost, opponents may get the secret information on the phone, which will bring irreparable loss to the user. Aiming at the above problems, we propose a kind of authentication scheme based on fingerprint and password which has no need to store a secret in the mobile phone. The core idea is to store the encrypted text on the server side. When the user logs in, he uses his mobile phone to generate the private key which is used to decrypt the ciphertext generated during the registration phase. The user needs to enter his password and fingerprint at the private key generation process.When the computer interacts with the mobile phone, the user’s password will be blind so that it can be protected from adversaries’ attacks. Theoretical analysis and experimental results show that our scheme reinforces the security of the user’s secret. Meanwhile,our scheme can resist dictionary attacks,replay attacks and phishing attacks while reducing the storage pressure of the mobile phone along with easy deployment.