Industrial Internet of Things (IIoT) has been widely adopted in various critical infrastructures. However, machine-to-machine (M2M) communication in IIoT is particularly vulnerable to a wide range of authentication and authorization attacks. Although a variety of end-to-end security protocols can be used to secure the communication channels, establishing such a secure channel (i.e., securely generating and exchanging the session key) is still challenging due to various reasons. The single-factor based Authenticated Key Exchange (AKE) schemes are no longer sufficient to provide adequate security in IIoT. Most password, smart card and biometric based multi-factor AKE (MAKE) schemes are not also applicable in M2M communication as they require human involvement. Recently, historical data based multi-factor AKE (HMAKE) schemes have appeared to be promising to achieve AKE in IIoT. However, the state-of-the-art HMAKE schemes do not still sufficiently address the various security and performance requirements in IIoT. Furthermore, advanced session hijacking attacks also pose additional security concerns as they hijack already established sessions and get unauthorized access to resources. In this work, we propose MFAA – a lightweight HMAKE scheme that effectively addresses most of the AKE-related authentication issues and session hijacking-based unauthorized accesses in IIoT. In MFAA, we systematically refine and intertwine historical hashes to produce a highly leakage-resilient second authentication factor for AKE and an authorization token (against session hijacking attacks) with a negligible performance overhead. In general, the proposed scheme has the following key features: 1) provides mutually authenticated two-factor security; 2) highly leakage-resistant even under the assumption of a strong adversary; 3) properly achieves perfect forward secrecy; 4) resilient against session hijacking attacks; 5) very lightweight and practical even for resource-constrained IIoT devices. Overall, the proposed scheme is highly effective both in terms of security guarantee and efficiency.