Identity authentication has become an essential component for access control in the Internet of Things (IoT) environment. To overcome the inherent weakness of password-based authentication, many present IoT devices (e.g., commercial banking smart cards) are equipped with the fingerprint authentication mechanism. However, due to the resource constraints of IoT devices, oversimplified authentication schemes are deployed, which compromise system performance significantly. Moreover, fingerprint templates in these existing schemes are unprotected. To address these issues, we propose an IoT-oriented privacy-preserving fingerprint authentication system. The proposed system is composed of four main components: 1) minutiae extraction; 2) the minutia cylinder-code (MCC)-based cancelable binary template, generated by the proposed normalized random projection; 3) the lightweight, privacy-preserving template, built by novel pairwise Boolean operations; and 4) fingerprint matching. Our system can effectively mitigate preimage and hill-climbing attacks. A prototype of the proposed system is developed using a popular open-source platform (i.e., Open Virtual Platforms). Comprehensive experimental results on eight benchmark data sets validate the effectiveness of the proposed IoT-oriented fingerprint authentication system. Our system also achieves equivalent authentication accuracy to that of the unprotected fingerprint authentication systems deployed in the resource-rich, non-IoT environment. More importantly, our system prototype is deployable to commercially available low-cost smart cards, such as Atmel AT24C256C Memory Smart Card 256K Bits. To the best of our knowledge, the proposed system is the first privacy-preserving, cancelable fingerprint authentication system developed in such a resource-constrained IoT setting.