An innovative cross-layer authentication protocol that integrates cryptography-based authentication and physical layer authentication (PLA) is proposed for massive cellular Internet of things (IoT) systems. Due to dramatic increases in the number of cellular IoT devices, a centralized authentication architecture in which a mobility management entity in core networks administers authentication of massive numbers of IoT devices may cause network congestion with large signaling overhead. Thus, a distributed authentication architecture in which a base station in radio access networks authenticates IoT devices locally is presented. In addition, a cross-layer authentication protocol is designed with a novel integration strategy under the distributed authentication architecture, where PLA, which employs physical features for authentication, is used as preemptive authentication in the proposed protocol. Theoretical analysis and numerical simulations were performed to analyze the trade-off between authentication performance and overhead in the proposed authentication method compared with existing authentication protocols. The results demonstrate that the proposed protocol outperforms conventional authentication and key agreement protocols in terms of overhead and computational complexity while guaranteeing low authentication error probability.