Authentication is one of the most fundamental services in information security. Compared with traditional authentication methods, group authentication enables a group of users to be authenticated at once rather than authenticating each user individually. Therefore, it is preferred in the group-oriented environment, such as multicast/conference communications. While several group authentication schemes have been proposed over the past few years, no formal treatment for this cryptographic problem has ever been suggested. Existing papers only provide heuristic evidences of security and some of these schemes have later been found to be flawed. In this paper, we present a formal security model for this problem. Our model not only captures the basic requirement in group authentication that an adversary cannot pretend to be a group member without being detected, but also considers some desirable features in real-world applications, such as re-use of the credentials in multiple authentication sessions and allowance for users to exchange messages through asynchronous networks. We then introduce an efficient group authentication scheme where its security can be reduced to some well-studied complexity theoretic assumptions.