Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

Challenge-Response Password Reset Option

If you forget your PennKey password, you can reset it online if you have chosen to enroll in Challenge-Response.

Although the term "Challenge-Response" may be unfamiliar, you may have used similar methods to reset forgotten passwords on other web sites. A user is asked to answer personal questions. Later, if the user can answer the same questions correctly, information is given about how to reset a forgotten password.

There are two functions associated with Challenge-Response:

  1. The Enrollment function is used to initially enroll in Challenge-Response, to change your Challenge-Response settings, or to cancel enrollment in Challenge-Response.
  2. The Password Reset function is used to reset your password online if you forget it.

How the Challenge-Response Application Works

Enrollment. Log in to Challenge-Response Enrollment using your PennKey and Password to authenticate. Provide answers to three personal information questions. You may return to the enrollment function at any time to change your questions and answers or to cancel your enrollment.

Password Reset. If you forget your PennKey password, log in to Challenge-Response Password Reset using the last 4 digits of your SSN, your date of birth, and your Penn ID to authenticate. When your three questions are displayed, confirm your identity by entering exactly the same answers you provided originally. You will then be linked directly to the PennKey Registration site to reset your password.

Should you forget your answers to the personal information questions, you can reset your password by using a PennKey Setup Code obtained from a PennKey administration station or by requesting one via the Setup Code Service.

Should I Use Challenge-Response?

Challenge-Response is a good option

  • if you want the "anytime, anywhere" convenience of resetting your password online
  • if you travel frequently
  • if you think you are likely to forget your password

You should not participate in Challenge-Response if you have access to sensitive information (e.g., student records, payroll, financial data).

Challenge-Response is not available to individuals with Non-Persistent PennKeys.

How Secure Is Challenge-Response?

PennKey Challenge-Response has been designed with an eye towards strong security:

  • It requires correct responses to three separate questions, rather than just one
  • It does not ask questions frequently posed on other sites (such as "What was your mother's maiden name?")
  • It does not request biographical data which could be easily obtained from other sources (such as "What city were you born in?")
  • Passwords are never transmitted as part of the Challenge-Response process, so they cannot be intercepted.

Information Systems and Computing
University of Pennsylvania
Comments & Questions

Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania