- Client connects to Server
- Server sends salt: S
- Client sends hash over hashed password and salt: H(H'(P) S)
- Server compares received hash with it's own computed hash (from the hashed password H'(P) stored in the database)
A salt is used because without it you can authenticate simply by using a replay attack