User authentication is a key research domain in security. A user authentication scheme based on Physical Unclonable Function (PUF) is proposed. Unlike general PUF applications which apply PUF in the tag-end, we employ PUF within an Authentication Centre (AC), which is only used to verify a RFID tag is legal or not. When a tag is legal, the AC will send a password which is used only once to the request reader. The reader can use this password to decrypt the tag’s sensitive information which is encrypted with the same identical password. The later password which is used in encryption is produced and used only once within the tag.