Internet of Things (IoT) has become the driving force in modern day technology with an increasing and rapid urge to create an intelligent, efficient, and connected world. IoT is used in manufacturing, agriculture, transportation, education, healthcare and many other business environments as well as home automation. Authentication for IoT devices is essential because many of these devices establish communication with servers through public networks. A rigorous lightweight device authentication scheme is needed to secure its physical hardware from cloning or side-channel attacks and accommodate the limited storage and computational power of IoT devices in an efficient manner. In this paper, we introduce a lightweight mutual two-factor authentication mechanism where an IoT device and the server authenticate each other. The proposed mechanism exploits Physical Unclonable Functions (PUFs) and a hashing algorithm with the purpose of achieving a secure authentication and session key agreement between the IoT device and the server. We conduct a type of formal analysis to validate the protocol's security. We also validate that the proposed authentication mechanism is secure against different types of attack scenarios and highly efficient in terms of memory storage, server capacity, and energy consumption with its low complexity cost and low communication overhead. In this sense, the proposed authentication mechanism is very appealing and suitable for resource-constrained and security-critical environments.
Keywords: HMAC; IoT device authentication; SRAM; arbiter; invasive attack; physical unclonable functions.