Authentication and key agreement protocol is indispensable for today network applications. Many two-factor authentication and key agreement protocols using smart card and password have been proposed over the last decade. However, many of these schemes are vulnerable to password guessing attack due to low-entropy passwords. In this paper, we show how to mount an offline password guessing attack against a two-factor authentication protocol. To counter against this type of attack we propose a new scheme which employs biometric information as the third authentication factor beside smart card and password. Biometric information has many positive characteristics that can fix the shortcoming of password. The proposed scheme also provides user untraceability, which is a desirable feature for ensuring users' privacy.