Due to rapid advancements in hardware and mobile communication technologies, the usage of various mobile-based online applications is increasing tremendously. However, security and privacy are two of the most essential features of wireless communication. Using a Mutual Authentication and Session Key Agreement (MASK) scheme, an authorized mobile user can login to a remote server over the Internet. In quantum contexts, many of the MASK schemes are not secure. This paper proposes a One-Time Password (OTP) and biometric-based Multi-Factor MASK (OTP-MF-MASK) scheme for mobile users. We used Peikert’s authentication and reconciliation mechanism, defined for the post-quantum environments. The OTP-MF-MASK scheme used a password, mobile device, biometric, and OTP as login credentials. To avoid the biometric acquisition problem, we used the fuzzy extractor in the OTP-MF-MASK scheme. We proved that the OTP-MF-MASK scheme is semantically secure in the Random Oracle Model (ROM) based on the hardness assumption of the Ring Learning With Errors (RLWE) problem. The OTP-MF-MASK scheme is compared with state-of-the-art schemes to justify the attack-resilience and computation efficiencies in quantum environments.