It is necessary for researchers to design lightweight authentication protocols to protect information security between tag and reader in RFID system. It is a great challenge to design an efficient and secure protocol because the tag has limited computation resource. In the paper, we firstly analyze some protocols. Secondly, we introduce a serverless authentication protocol for RFID system and analyze its security. We find it does not provide two-way authentication. Thirdly, we propose a modified two-way authentication protocol without server for RFID. The result indicates it provides privacy protection, resists tracking, and resists cloning attack. Moreover, it provides two-way authentication. For the efficiency, we think the computational complexity of our protocol is at the same level with the original protocol.