The invention relates to an IoT device identity authentication method based on a physical unclonable function. In combination with the property characteristic of the physical unclonable function and zero-knowledge proof contents, the method can be used for identity authentication of multiple devices and users themselves in an IoT network, and belongs to the field of IoT security in information security. In the authentication method, four entities, namely a server, a user, an access device and an accessed device, are included; the authentication method has the main contents as follows: in a registration stage, the server needs to store a response value and a user password for a special challenge in the power form of a discrete logarithmic group generator, so that device registration is carried out; in an authentication stage, the server sends the registered challenge to perform secondary response; at this time, the access device and the device as the whole perform zero-knowledge proof with the user and the server; simultaneously, the access device, the device and the server perform another zero-knowledge proof; and identity authentication of the user, and initial authentication andfinal authentication of the validity of the access device and the device are completed to the server.