Securing Internet of Things (IoT) applications that collect and transport sensitive data by guaranteeing authenticity, integrity, and confidentiality is a critical challenge. Reducing computation and communication overhead of security functions is also a key concern since a large number of constrained devices may take place in such applications. Our main focus in this paper is group authentication and key management in IoT. The existing group authentication and key management protocols in the literature perform computations using asymmetric ciphers, which costly for IoT. Therefore, applications generally employ simple security primitives that are prone to or lead to cyber-attacks by using IoT devices. In this paper, we propose a physically unclonable function (PUF) based lightweight group authentication and key distribution (PLGAKD) protocol that employs PUF, factorial tree, and the Chinese Remainder Theorem (CRT). In PLGAKD, PUF facilitates lightweight authentication and key distribution for group members. Each group member performs 2 encryptions, 1 decryption, 4 XORs operations, and 3 HMAC operations. For the key renewal process, the factorial tree and CRT help us reduce the number of keys stored in nodes and the number of communication messages contrary to the binary tree. As an example, a binary tree with 4096 members completes the key renewal process with 12 messages by storing 12 keys. However, the PLGAKD protocol with 5040 members completes this process with 6 messages by storing 7 keys. Moreover, the PLGAKD protocol becomes more efficient in parallel with the increase in the number of members.