Challenge-Response Password Reset Option
If you forget your PennKey password, you can reset it online if you have chosen to enroll in Challenge-Response.
Although the term "Challenge-Response" may be unfamiliar, you may have used similar methods to reset forgotten passwords on other web sites. A user is asked to answer personal questions. Later, if the user can answer the same questions correctly, information is given about how to reset a forgotten password.
There are two functions associated with Challenge-Response:
- The Enrollment function is used to initially enroll in Challenge-Response,
to change your Challenge-Response settings, or to cancel enrollment in Challenge-Response.
- The Password Reset function is used to reset your password online if you
How the Challenge-Response Application Works
Enrollment. Log in to Challenge-Response
Enrollment using your PennKey and Password to authenticate.
Provide answers to three personal information questions. You may return to
the enrollment function at any time to change your questions and answers
or to cancel your enrollment.
Password Reset. If you forget
your PennKey password,
log in to
Challenge-Response Password Reset using the last 4 digits of
your date of birth, and your Penn
ID to authenticate. When your three questions are displayed,
confirm your identity by entering exactly the same answers you
provided originally. You will then be linked directly to the PennKey Registration
site to reset your password.
Should you forget your answers to the personal information questions, you can reset your password by using a PennKey Setup Code obtained from a PennKey administration station or by requesting one via the Setup Code Service.
Should I Use Challenge-Response?
Challenge-Response is a good option
- if you want the "anytime, anywhere" convenience of resetting your password online
- if you travel frequently
- if you think you are likely to forget your password
You should not participate in Challenge-Response if you have access to sensitive
information (e.g., student records, payroll, financial data).
Challenge-Response is not available to individuals with Non-Persistent
How Secure Is Challenge-Response?
PennKey Challenge-Response has been designed with an eye towards
- It requires correct responses to three separate questions, rather
than just one
- It does not ask questions frequently posed on other sites (such
as "What was your mother's maiden name?")
- It does not request biographical data which could be easily
obtained from other sources (such as "What city were you born
- Passwords are never transmitted as part of the Challenge-Response
process, so they cannot be intercepted.