As advancements in vehicle electronics and intelligence accelerate, the number of electronic control units (ECUs) is rapidly increasing, thereby heightening the likelihood of errors and cyberattacks. Original equipment manufacturers (OEMs) are adopting over-the-air (OTA) updates to manage software and firmware remotely to counter these threats, . However, OTA updates pose critical security vulnerabilities, as the communication network is equally accessible to attackers. The single authentication architecture centered on the central gateway (CGW), commonly adopted in prior studies, has structural limitations that significantly reduce its defensive performance against internal network intrusions or CGW compromises. This study proposes a secure OTA protocol to overcome these limitaions by performing ECU-level multi-factor authentication and replacing the CGW-dependent architecture. The proposed approach mitigates the risk of single points of failure in centralized architectures by enabling each ECU to perform mutual authentication directly with the update server. Furthermore, it is designed to be implemented using low-cost security modules on resource-constrained ECUs. The experimental results show that the proposed protocol effectively defends against malicious internal updates while minimizing computational and memory overhead, confirming its applicability to real-world vehicular environments. These findings contribute to enhancing OTA security in the coming era of software-defined vehicles(SDVs).