The invention discloses a double-factor bidirectional authentication method, a client and a server. The method comprises the following steps of: generating authentication requests, obtaining authorization of USBKey, extracting a user certificate and a user private key in the USBKey; receiving a server certificate from the server, receiving random number S, verifying the signature of the random number S by using the public key of the server; using the user private key for signing the signature-verified random number S; generating random numbers C, signing a random number C by using a user private key; sending the user certificate, the random number C signed by the user private key and the random number S signed by the user private key to a server; and receiving the random number C, verifying the signature of the random number C signed by the server-side private key by using the server-side public key, comparing whether the verified random number C is consistent with the previous randomnumber C, and judging the legality of the server-side according to a comparison result. According to the method, any end is effectively prevented from being hijacked or replayed, and the security of remote authentication of the user is greatly enhanced.