RFID (radio frequency identification) is an Internet of Things (IoT) enabling technology. All physical devices can be connected to the Internet of Things thanks to RFID. When RFID is extensively utilized and fast increasing, security and privacy concerns are unavoidable. Interception, manipulation, and replay of the wireless broadcast channel between the tag and the reader are all possible security threats. Unverified tags or readers provide untrustworthy messages. IoT requires a safe and consistent RFID authentication system. PUFs are also physical one-way functions made up of the unique nanoscopic structure of physical things and their reactivity to random occurrences. PUF includes an unclonable feature that takes advantage of physical characteristics to boost security and resistance to physical attacks. We analyze the security of the RSEAP2 authentication protocol that has been recently proposed by Safkhani et al., a hash-based protocol, and elliptic curve cryptosystem-based protocol. Our security analysis clearly shows important security pitfalls in RSEAP2 such as mutual authentication, session key agreement, and denial-of-service attack. In our proposed work, we improved their scheme and enhanced their version using physically unclonable function (PUF), which are used by the proposed protocol in tags. This research proposes a cloud-based RFID authentication technique that is both efficient and trustworthy. To decrease the RFID tag’s overhead, the suggested authentication approach not only resists the aforementioned typical assaults and preserves the tag’s privacy, but also incorporates the cloud server into the RFID system. According to simulation results, our approach is efficient. Moreover, according to our security study, our protocol can withstand a variety of attacks, including tracking, replay, and desynchronization assaults. Our scheme withstands all the 18 security features and further consumes the computation cost as 14.7088 ms which is comparable with the other schemes. Similarly, our scheme consumes the communication cost as 672 bits during the sending mode and 512 bits during the receiving mode. Overall, the performance of our proposed method is equivalent to that of related schemes and provides additional security features than existing protocols. Mutual authentication, session key generation, and ephemeral session security are all achieved. Using the real-or-random concept, we formalize the security of the proposed protocol.