The proliferation of passive Internet-of-Things (IoT) into the consumer and the enterprise market has necessitated enhanced security requirements. Many security protocols have been proposed in literature to address these requirements, however, they are either prone to certain types of attacks or are computationally expensive for resource- constrained passive IoT devices. In this paper we propose two variants of a novel mutual authentication protocol that utilizes the synchronization property of Fowler Nordheim (FN) tunneling based self-powered timers. The first protocol provides mutual authentication using the dynamic timer values. The protocol is both lightweight and provably immune to most of the well-known security attacks. Moreover, it offers an efficient and secure capability for easy revocation of tags and readers from the IoT system. The second protocol, an enhanced version of the first, provides disguised identities for applications that require privacy preserving. This protocol can thus serve as a perfect candidate for high-security passive IoT applications such as e- passports.