The Internet of Things (IoT) is an enormous ubiquitous-network, which connects the objects through various sensors. The IoT technology promotes the interconnection and fusion between the physical world and information space, and it facilitates the day-to-day life of people. However, since a lot of equipped sensors are unattended and open, the IoT must face and overcome the main problems of security and privacy. Authentication is one of the paramount security concerns in the IoT environment, in which a user could directly access data from the sensors. Therefore, we propose an authentication and key agreement scheme providing unlinkability for the IoT environment based on bilinear pairings. The formal security proof demonstrates that the proposed protocol is unforgeable under the adaptively chosen message attack, and the session key exchange is semantic secure under the eCK model. In addition, the computation and communication costs of the proposed scheme are evaluated and compared with some existing similar schemes, which exhibits that it pleasantly addresses the needs of the IoT as far as security properties and computation expenses.INDEX TERMS Authentication, IoT, privacy-preserving, security.