© 2014 IEEE.Securing Internet-of-Things (IoT) applications that collect and transport sensitive data by guaranteeing authenticity, integrity, and confidentiality is a critical challenge. Reducing computation and communication overhead of security functions is also a key concern since a large number of constrained devices may take place in such applications. Our main focus, in this article, is group authentication and key management in IoT. The existing group authentication and key management protocols in the literature perform computations using asymmetric ciphers, which costly for IoT. Therefore, applications generally employ simple security primitives that are prone to or lead to cyberattacks by using IoT devices. In this article, we propose a physically unclonable function (PUF)-based lightweight group authentication and key distribution (PLGAKD) protocol that employs PUF, factorial tree, and the Chinese remainder theorem (CRT). In PLGAKD, PUF facilitates lightweight authentication and key distribution for group members. Each group member performs two encryptions, one decryption, four XORs operations, and three HMAC operations. For the key renewal process, the factorial tree and CRT help us reduce the number of keys stored in nodes and the number of communication messages contrary to the binary tree. As an example, a binary tree with 4096 members completes the key renewal process with 12 messages by storing 12 keys. However, the PLGAKD protocol with 5040 members completes this process with six messages by storing seven keys. Moreover, the PLGAKD protocol becomes more efficient in parallel with the increase in the number of members.