Biometric-based remote user authentication is a useful primitive that allows an authorized user to authenticate to a remote server using his biometrics. Leakage attacks, such as side-channel attacks, allow an attacker to learn partial knowledge of secrets (e.g., biometrics) stored on any physical medium. Leakage attacks can be potentially launched to any existing biometric-based remote user authentication systems. Furthermore, applying plain biometrics is an efficient and straightforward approach when designing remote user authentication schemes. However, this approach jeopardises user’s biometrics privacy. To address these issues, we propose a novel leakage-resilient and privacy-preserving biometric-based remote user authentication framework, such that registered users securely and privately authenticate to an honest-but-curious remote server in the cloud. In particular, the proposed generic framework provides optimal efficiency using lightweight symmetric-key cryptography, and it remains secure under leakage attacks. We formalize several new security models, including leakage-resilient user authenticity and leakage-resilient biometrics privacy, for biometric-based remote user authentication, and prove the security of proposed framework under standard assumptions.