The Internet of Things (IoT) can be applied to applications in various fields such as industry, medical care, and public security because IoT enables remote sensing and control in heterogeneous environments. Wireless sensor networks (WSNs) are an important infrastructure in IoT, where a sensor node provides the collected data to authorized users. Because of the resource-constrained nature of sensor nodes such as transmission and computational capabilities and the limited energy, how to ensure both security and efficiency of WSNs in IoT environments becomes a challenge. Recently, Li et al. proposed a three-factor anonymous authentication scheme by adopting a fuzzy commitment scheme and an error correction code to handle the user's biometric data for WSNs in IoT environments. They claimed their scheme could ensure computational efficiency and achieve more security and functional features. After analyzing their authentication scheme, we find that it cannot ensure security. First, a malicious user can retrieve a sensor node's secret and impersonate the sensor node. Second, a malicious user can acquire the sensory data without the gateway node even with a forged identity. Third, the malicious user can retrieve another legal user's essential information for authentication and impersonate this innocent user. In this paper, how these security flaws damage Li et al.'s authentication scheme and further discussions will be shown in detail.