Prosanta and Biplab presented a lightweight two-factor authentication scheme for the Internet of Things (IoT) devices based on Physical Unclonable Function (PUF). Their presented scheme was based on Fuzzy Extractor and analyzed various security reasonings, such as mutual authentication, session key agreement, privacy and protection against impersonation, message tampering and replay attacks. In this paper, we present sufficient security analysis to demonstrate that the scheme has various security and privacy issues in its setup and authentication phases. We propose a highly secure and robust authentication protocol based on a PKI digital certificate based on two Certificate Authority (CA) for cloud IoT systems. The proposed authentication method is verified and validated using Tamarin Prover and supported with a detailed security and performance analysis discussion. The scheme security and privacy attributes are compared with other IoT authentication schemes. The analysis has proved that the proposed authentication scheme is more secure and highly reliable as compared to Prosanta and Biplab authentication scheme.