With the development and application of communication networks, the Internet of Things carries the safe transmission and storage of a large amount of sensitive information. Since devices are usually small in size and resource-constrained, complex security primitives are not suitable for authentication of lightweight IoT devices. This paper proposes a lightweight anonymous key shared authentication protocol for IoT devices, which generates a shared key by the physical unclonable function(PUF) and uses security primitives such as the MASK algorithm and the Hash function. The security analysis and verification are accomplished by Ban logic and ProVerif to prove that the protocol ensures security attributes such as anonymity, non-repudiation, and forward/backward confidentiality. Compared with other protocols, this protocol has the characteristics of low computing cost, small communication overhead and storage capacity, and high security performance, which is suitable for the secure communication transmission of resource-constrained devices.