Highly interesting! Am I correct when I assume the instantiation of an A²PAKE protocol in this paper is susceptible to phishing attacks? i.e. if an attacker tricks the user into using both a malicious Main Authentication Server S_1 and malicious Support Authentication Server S_2 for an Authentication phase, then the attacker would be able to offline-brute force the user’s password? Also this A²PAKE instantiation doesn’t offer means to the user for validating the legitimacy of “signing requests” (messages to sign) from S_1 / MAS (i.e. no mutual authentication), right?