Passive Internet of Things (IoT) like radio frequency identification (RFID) tags can be used to offer a wide range of services, such as object tracking or classification, marking ownership, noting boundaries, and indicating identities. While the communication link between a reader of the tag and the authentication server is generally assumed to be secure, the communication link between the reader and participating tags is mostly vulnerable to malicious acts. Many authentication protocols have been proposed in literature, however, they either are vulnerable to certain types of attacks or require prohibitively a large amount of computational resources to be implemented on a passive tag. In this paper, we present variants of a novel authentication protocol that can overcome the security flaws of previous protocols while being well suited to the computational capability of the tags. At the core of the proposed approach is our recently demonstrated self-powered timing devices that can be used for robust time-keeping and synchronization without the need for any external powering. The outputs of the timers are processed using a single hash function on the tag to produce tokens that continuously change with time, while being synchronized to tokens generated by the authentication server. The proposed protocol also incorporates margins of tolerance that make the authentication process robust to any deviations in the timer responses due to fabrication artifacts.