User authentication is a most important protocol in a distribution network. Those authentication schemes have been proposed for many years, and a one-time password authentication scheme is one of them. In 2004, Lin and Chang proposed a one-time password authentication scheme which is free from replay attacks, server spoofing attacks, off-line dictionary attacks, active attacks, and revelation of message contents. However, their scheme will suffer from guessing attacks which is proposed by us in this paper.