In this work propose a protocol combining a Physical Un-clonable Function (PUF) with Password-based Authenticated Key Exchange (PAKE). The resulting protocol provides mutual multifactor au-thentication between client and server and establishes a session key between the authenticated parties, important features that were not found simultaneously in the literature of PUF-based authentication. The combination can be adapted to support a panic password which allows the client to notify the server in case of emergency. Moreover, a novel protocol for two-factor transaction authentication is proposed. This ensures that only parties authenticated in the current session can realize valid bank transactions.