A arrangement of authenticating communications network users and means for carrying out the arrangement: A first challenge N1 is transmitted from a first user A to a second user B. In response to the first challenge, B generates and transmits a first response to the challenge and second challenge N2 to A. A verifies that the first response is correct. A then generates and transmits a second response to the second challenge to B, where the second response is verified. The first response must be of a minimum form S1 and S2 are shared secrets between A and B. S1 may or may not equal to S2. In addition, f() and g() are selected such that the equation f'(S1,N1'....) = g(S2.N2) cannot be solved for N1' without knowledge of S1 and S2. f'() and N1' represent expressions on a second reference connection. Preferably, the function f() may include the direction D1 of flow of the message containing f(), as in f(S1, N1, D1,...). In such a case, f() is selected such that the equation f'(S, N1',D1',...) = f(S, N2, D1,...) cannot be solved for N1' without knowledge of S1 and S2. In this equation, D1' is the flow direction indicator of the message containing f'() on the reference connection. Specific protocols satisfying this condition are protected from so-called intercept attacks.