With the rapid development of 5G mobile communication technology and the continuous expansion of the scale of the Internet of Things (IoT) industry, the number of IoT devices has grown exponentially. IoT devices have uneven security guarantees due to different application scenarios, which brings great security threats to the devices themselves and the IoT system. Especially with the physical threats of the device and firmware tampering, attackers can even make your home’s sweeping robot a spy by modifying the firmware. In view of these threats, this paper proposes a FSMFA: Firmware-Secure Multi-Factor Authentication protocol based on PUF (physical unclonable function) and device firmware integrity, which enhance the physical and software security of IoT devices while enhancing the security of IoT system. So as to realize mutual authentication and key negotiation between the device and the server. At the same time, in order to guarantee the safety of the whole life cycle of the device, we propose the challenge response pairs (CRPs) and firmware update scheme of the device. Finally, we use BAN logic and ProVerif to prove the security of authentication and update protocols. Compared with other similar protocols, the proposed protocol achieves better security and higher efficiency.