The involved private key is secret-shared across the device and an online server such that each share by itself is worthless. Cryptographic operations are performed jointly by device and server, but without ever reconstructing the private key. Because the distributed key shares are worthless on their own, the private key is safe as long as not both the device and the server are compromised. Also, the server cannot impersonate the user.
The user can instruct the server to longer cooperate no longer with the protocol in the case that the device is stolen, lost, or otherwise compromised.
3 Anti-hammering, online attack prevention
The online server is involved in every cryptographic operation and in verifying the password (without learning it!). Thus, the server can throttle and eventually block failed authentication attempts. The possibility to block after too many failed authentication attempts is also the reason why the involved password can be weak.