The proliferation of the Internet of Things (IoT) has introduced a new paradigm of interconnected devices, enabling advanced functionalities across various domains such as healthcare, smart cities, and industrial automation. However, this rapid expansion has also led to significant security challenges, particularly concerning the authentication of devices within resource-constrained environments. Traditional security mechanisms are often too resource-intensive for IoT applications, necessitating the development of lightweight yet robust solutions. This paper presents a novel lightweight authentication protocol designed specifically for IoT environments. The proposed scheme integrates perceptual hashing with multimodal biometrics, enhancing security by leveraging the unique physiological characteristics of multiple biometric traits. In addition, the protocol incorporates elliptic curve cryptography to provide strong cryptographic guarantees with minimal computational overhead, making it suitable for devices with limited resources. We provide a formal security analysis of the proposed protocol using Burrows-Abadi-Needham logic, demonstrating that it achieves mutual authentication and resistance to common attacks such as replay and impersonation. The protocol’s security is further validated using the Scyther tool, which confirms its resilience against a wide range of potential threats. Our scheme not only ensures secure communication within IoT systems but also maintains the efficiency required for practical deployment in resource-constrained environments.