Wireless Body area Networks (WBANs)- groups of sensors deployed inside a human body- are envisioned to improve the healthcare domain by continuously monitoring and reporting patient's health to the health care systems. However, the nature of openly deployed sensor nodes, coupled with the lack of security, make it easy for intruders to attack WBANs. In this paper, we propose a new scheme, PMAS, to achieve mutual authentication between a cell phone (personal device representing the sink) and WBANs' sensor nodes. In addition, based on a modified idea of Diffie-Hellman key exchange scheme, we establish a shared secret key between that sink and every sensor node in the network. The security analysis shows that PMAS thwarts different attacks, including the replay, fake sink, fake sensor, and Denial of Service (DOS) attacks. Furthermore, comparing to previous authentication schemes, the computation and communication overheads added by our scheme are much smaller than those in previous schemes.