Online banking and electronic payment systems on the Internet are becoming increasingly advanced. On the machine level, transactions take place between client and server hosts through a secure channel protected with SSL/TLS. User authentication is typically based on two or more factors. Nevertheless, the development of various malwares and social engineering attacks transform the user's PC in an untrusted device and thereby making user authentication vulnerable. This paper investigates how user authentication with biometrics can be made more robust in the online banking context by using a specific device called OffPAD. This context requires that authentication is realized by the bank and not only by the user (or by the personal device) contrary to standard banking systems. More precisely, a new protocol for the generation of one-time passwords from biometric data is presented, ensuring the security and privacy of the entire transaction. Experimental results show an excellent performance considering with regard to false positives. The security analysis of our protocol also illustrates the benefits in terms of strengthened security.