The energy-constrained devices such as the mobile terminals and nodes of the Internet of Things make lightweight security schemes an urgent need. The traditional identity authentication techniques can provide protection for the user's privacy and information to a certain extent, but they suffer from heavy cost. Non-cryptographic authentication mechanisms based on the physical layer characteristics are new techniques, which have a higher security level. The recognition technique of radio transmitter based on radio-frequency fingerprint ( RFF ) is one of the non-cryptographic authentication techniques. The authors propose a lightweight one-time password (OTP) authentication scheme based on RFF (RFF-OTP), which is a novel cross-layer secure authentication scheme and can provide mutual authentication between the mobile terminal and server, by combining RFF recognition algorithm with a hash encryption algorithm. By theoretical analysis and Syverson and van Oorschot logic verification, they prove that the RFF-OTP scheme is simple, efficient, flexible and independent of trusted-party while it also can resist the cloning attack and satisfy the anonymity compared with the OTP authentication scheme. Besides, it only requires the password to log into the system in the authors' scheme in comparison to the OTP scheme that needs both ID and password for the same purpose.