Increasing number of online services have brought great convenience to users, and remote user authentication schemes have been widely used to verify the legitimacy of the authorized users. However, most of the existing authentication schemes are based on password, in which users need to remember the complex passwords and change them frequently. In addition, the great majority of authentication schemes have security defects. Through the analysis of the scheme proposed by Haq et al., we find that it is difficult to resist the key compromise impersonation attack. Therefore, an improved two-factor multiserver authentication scheme without password is proposed. The perfect combination of the user s biological characteristics and the PUF s physical characteristics enhances the practicality and efficiency of the solution. Security analysis of the proposed scheme shows that it can resist various known security attacks.