The Internet of Things (IoT) seeks to enhance human life by embedding everyday objects with intelligence. As deployed in diverse environments, IoT devices exchange substantial data to offer autonomously smart and innovative services. Cloud computing serves as an effective solution for processing and storing data from IoT devices, enabling remote access for end-users. However, authenticating remote users poses a critical challenge. Although several existing schemes tackle this challenge, they have notable security and performance weaknesses. This paper introduces a lightweight, distributed multi-factor authentication scheme for remote users in IoT. The proposed approach, named Lightchain, integrates blockchain technology and fog computing while incorporating a lightweight cryptographic hash function. The security of Lightchain is rigorously confirmed through formal verification using the well-recognized Automated Validation of Internet Security Protocols and Applications (AVISPA) tool. Additionally, we develop and assess Lightchain’s functionality using the solidity language across diverse use cases. A comparative analysis is presented to evaluate performance costs and security requirements against recent methods. The proposed scheme demonstrates efficiency and robustness, making it well-suited for a range of IoT applications.