In order to provide high-security remote authentication, the three-factor authentication scheme combining biometric with smart card and password has been proposed. With a careful review of the recently proposed Lee–Hsu's scheme, this paper points out some design flaws in it. In order to withstand them, a new scheme based on Fuzzy extractors is proposed. With a detail analysis, this paper demonstrates that the proposed scheme is more practical and reasonable. It also has higher security and deals with biometric more appropriately in spite of higher computation cost at client than Lee–Hsu's scheme. Furthermore, an access control method has been introduced in it for the purpose of making different users enjoy different access privileges with regard to the data. What is more, the proposed scheme can also achieve key agreement. Copyright © 2014 John Wiley & Sons, Ltd.