Medical cyber-physical systems (MCPS) monitor/control patients' physiologic dynamics with embedded/distributed computing process and wireless/wired communication network. MCPS greatly impact the society with high-quality medical services and low-cost ubiquitous healthcare. The major component that integrates the physical world with the cyber space is wireless body area network (WBAN) of medical sensors and actuators worn or implanted in a patient. The life-critical nature of MCPS mandates safe and effective system design. MCPS must operate safely under malicious attacks. Authentication ensures that a medical device is what it claims to be and does what it declares to do, the first line of MCPS defense. Traditional authentication mechanisms, relied on cryptography, are not applicable to MCPS because of the constraints on computing/communication/energy resources. Recent innovations to secure mobile wireless sensor networks, with multi-sensor fusion to save power consumption, are not adequate. Besides challenges, MCPS present grand opportunities with the unique physical features of WBAN for non-cryptographic authentication and human-aided security. This paper proposes an authentication framework for MCPS. By studying medical processes and investigating healthcare adversaries, the novel design crosses physical world and cyber space. With uneven resource allocation, resource-scarce WBAN utilizes no encryption for authentication. Evaluation of this authentication protocol shows promising aspects and ease of adaptability. Copyright © 2014 John Wiley & Sons, Ltd.