Biometric authentication is yet to find widespread acceptance in applications requiring authentication between a remote client and server (e.g., electronic commerce). This is partly because the biometric authentication process can be circumvented through attacks on the communication interfaces or on the stored biometric templates. In this paper, we propose a biometrics-based protocol for secure authentication and key exchange between a client and a server. The proposed BioSAKE protocol is based on key-binding biometric cryptosystems and satisfies the following requirements: (i) mutual authentication between the client and the server, (ii) secure exchange of a session key between the two entities, (iii) minimal leakage of biometric information from stored credentials, and (iv) revocability of stored credentials. A detailed security analysis of the BioSAKE protocol has also been presented. Experiments on public-domain fingerprint and iris databases demonstrate the practical feasibility of the BioSAKE protocol.