This paper focuses on analyzing the double PUF-based RFID authentication protocol proposed by Liang et al. and security risks are found in the protocol. The protocol cannot resist replay attack, desynchronization attack, tag impersonation and other malicious attacks. In order to solve the security problems caused by malicious attackers to RFID system, a double PUF-based RFID authentication protocol(DPRAP) is proposed in this paper. In the pseudo-random number generator seed generation phase, the communication value of the seed is not transmitted directly on the insecure channel, and the value of the seed is encrypted and hidden through multiple hashing and xor operations to ensure the confidentiality of the negotiated seed. In the process of pseudo-random number generator seed negotiation between the tag and the server, a time threshold is used to prevent the attacker from blocking the communication channel and causing desynchronization attack, so as to ensure the synchronization of the seed of the pseudo-random number generator between the server and the tag. In the authentication phase, IDS is added to the authentication information to verify the validity of the tag and prevent the tag impersonation attack. By using BAN logic and Vaudenay model to formally analyze and verify the proposed DPRAP protocol, it is proved that DPRAP protocol meets the untraceability and can resist the attacks such as desynsynchronization attack and tag impersonation attack. The results show that the DPRAP protocol has stronger security and privacy and better practicability.