An authentication method used to prove the identity of a user logging into the network. When a user logs on, the network access server (NAS), wireless access point or authentication server creates a "challenge," which is typically a random number sent to the client machine. The client software uses its password or a secret key to encrypt the challenge via an encryption algorithm or a one-way hash function and sends the result back to the network (the "response"). The authentication system also performs the same cryptographic process on the challenge and compares its result to the response from the client. If they match, the authentication system has verified that the user has the correct password.Hardware AssistedChallenge/response systems may also work with an authentication token, which is a smart card or credit-card sized card that users have in their possession. When they log in, they respond to the challenge by either inserting their smart card into a reader or typing in the password displayed on the card's readout. See authentication token, authentication, access control and CHAP.