This paper focuses on authentication with three types of entities: a user who sends an authentication request, an authentication-server who receives and verifies the request, and a database who supplies the authentication-server with information for verifying the request. This paper presents novel authentication protocols that satisfy the following important properties: (1) secure against replay attacks, (2) the database(s) cannot identify which user is authenticating and (3) the authentication-server cannot identify to which user a given authentication-request corresponds. Firstly, we show a protocol with a single database which satisfies Properties (1) and (2). Secondly, we show a protocol with multiple databases which satisfies Properties (1), (2) and (3). A key idea of our authentication protocols is to use private information retrieval (PIR) [Chor et al. J. ACM, 1998].