This article presents an authentication and key agreement protocol for users who want to have access to constrained sensor nodes deployed in the field, e.g., doctor with healthcare nodes of patient. Both sensor and user device provide direct multifactor authentication relying on physical unclonable functions and biometrics, respectively. In addition, our scheme offers protection against the presence of a semi-trusted third party, perfect forward secrecy, anonymity, untraceability, and protection against session specific data loss attacks. The combination of all these security features is unique. Moreover, it is shown that the resulting scheme outperforms most state-of-the art schemes with respect to computation and communication costs.