Authentication and key agreement are two basic functionalities to guarantee secure network communications, which are naturally integrated as an Authentication and Key Agreement (AKA) protocol. AKAs usually either need a dedicated device to store a cryptographic key or require the user to remember a password. In recent years, AKAs built on biometrics, e.g., human fingerprints, have gained research attention since they avoid these issues. Unlike keys or passwords that can be updated, biometrics are at greater risk that cannot be reused once disclosed. However, existing mechanisms either explicitly expose the biometrics to the server or consume a massive amount of resources. This paper proposes UFinAKA, a privacy-preserving fingerprint-based authentication and key agreement system with updatable blind credentials. UFinAKA explores a fingerprint-based blind credential authentication scheme as a building block such that the server has no access to the fingerprint data hidden within the credential. Furthermore, UFinAKA provides an updatable fingerprint-based credentials AKA protocol, which allows the server to update the blind credentials and guarantees anonymous fingerprint authentication to mitigate further leakage when the server is corrupted. We perform security analysis and experimental evaluation on UFinAKA. The evaluation results show that UFinAKA requires only linear computation overhead for the client, a single round of interaction, and roughly linear computation and storage cost for the server. The running time of UFinAKA is at least 4 times faster than the state-of-the-art solutions, and the storage cost of these solutions is at least 100 times more than UFinAKA.