Cloud computing is an emerging technology that allows different service providers to offer services in an on-demand environment. Due to the advantages such as flexibility, mobility, and costs saving, the number of cloud user has increased tremendously. Consequently, a more secure and privacy preserving authentication system is becoming important to ensure that only the data owner or the authorized user can gain access and manipulate data stored in the cloud. In the current approach, the service provider authenticates its users based on the credential submitted such as password, token and digital certificate. Unfortunately, these credentials can often be stolen, accidentally revealed or hard to remember. In view of this, we propose a biometric-based authentication protocol, which can be used as the second factor for the cloud users to send their authentication requests. In our solution, the credential submitted by the users consists of the biometric feature vector and the verification code. For the user to successful authenticate, both the biometric feature vector and the verification code must be combined, transformed, and shuffled correctly. Our proposed solution not only provides the security mechanism for the authentication process, but also supports the privacy protection for all sensitive information of the user.