Wireless sensor networks (WSNs) play an influential role in the advancement of Internet of Things (IoT) because the infrastructure of WSNs consists of lots of sensors, which can be used to collect online data by the users or service providers; however, in the process of collecting the data, the users and service providers have to communicate with the sensors through an unprotected channel, so the confidentiality and integrity of the transmitted messages might be threatened by an adversary. Consequently, several authentication protocols have been proposed to provide a secure authentication process for IoT-based WSNs. In this paper, we analyze Ghani et al.'s protocol and demonstrate that their protocol is vulnerable to user impersonation attack, malicious gateway attack, and traceability attack. Furthermore, it suffers from some design weaknesses. To fix these drawbacks, we propose a new hash-based authentication protocol for IoT-based WSNs. We analyze our protocol with both formal and informal methods to show that our protocol is secure against various known attacks such as sensor and user trace, sensor capture, off-line password guessing, and replay attacks. Finally, we evaluate our protocol in terms of security features and communication and computation costs. The results show that not only the proposed protocol is more secure than other existing protocols but also reduces 60% of the execution time of the user authentication process in comparison with Ghani et al.'s protocol.