A biometric authenticated key derivation (BAKD) scheme is an architecture allowing users to derive keys from their biometric characteristics with the help of the server via a wireless network. Traditionally, the user registers his/her biometric feature with the server, and the server keeps a record for the user to recover the key locked by the biometric data. In this case, when the server is compromised, an attacker is able to launch exhaustive attacks to learn the user's biometric input. With such a concern in mind, we introduce a notion called Biometric Enhanced Key Derivation (BEKD) to prevent brute-force attacks. In a BEKD scheme, the server does not store any biometric related information for the user. It is the user who locally stores tokens to recover the cryptographic key. An attacker who steals tokens from the user cannot launch exhaustive attacks to confirm the user's biometric distribution. In addition, the BEKD scheme protects users' privacy in that the server could not distinguish a user's biometric input from a token. We define security requirements for a BEKD scheme, present a concrete BEKD construction, and analyse its security. We also implement the proposed basic BEKD scheme to evaluate its performance in practice.