With the advancement of information technology and the reduction of costs, the application of unmanned aerial vehicle (UAV) has gradually expanded from the military field to the industrial field and civilian field. It brings great convenience to people in surveillance, detection, transportation, emergency rescue etc. However, UAVs usually work in harsh natural environments, and their communication security confronts various challenges. Due to UAVs' limited resources, such as computing capability, storage space, and energy, traditional security protection schemes based on complex cryptographic algorithms are not suitable for UAV systems directly. Therefore, a two‐stage lightweight identity authentication and key agreement protocol for UAV is proposed in this paper. The entire process only uses hash and XOR operations, which significantly improves the authentication efficiency. Simultaneously, the physical unclonable function (PUF) is introduced and embedded into the UAV hardware to ensure UAV network communication security when a UAV suffers a physical capture attack. In the paper, the security of the proposed protocol is proved with Burrows–Abadi–Needham (BAN) logic, Real‐or‐Random (ROR) model, and AVISPA simulation tools. An informal security analysis is also provided to illustrate that the protocol satisfies the security requirements of UAV networks. Finally, the protocol is compared with other existing protocols regarding function properties, computation cost, and communication cost, which shows that the proposed protocol has effectiveness and practicality.