To ensure the information security of communication between two parties， many Authenticated Key Agreement （AKA） protocols have been proposed and applied in practical scenarios. However， the existing three-factor protocols have security vulnerabilities， such as being vulnerable to smart card loss attacks and password guessing attacks， and some even ignore anonymity. In order to solve the problems， a new three-factor anonymous authentication and key agreement protocol was proposed. In the proposed protocol， smart card， password and biometric authentication technology were integrated， the password and biometric characteristic update phase， the update and distribution phase of the smart card were added， and the Computational Diffie-Hellman （CDH） assumption on the elliptic curve was used for information interaction so as to realize secure communications. The security of the proposed protocol was proved by using the random oracle model. Compared with similar protocols， the analysis results show that the proposed protocol can prevent many attacks such as smart card loss attacks and replay attacks， realizes more comprehensive functions such as anonymity and free updating of password， and has higher computing and communication efficiency.