RESETTING PASSWORD VIA
If you forget your PennKey password, you can reset it online if you have
chosen to enroll in Challenge-Response.
Although the term Challenge-Response may be unfamiliar,
you may have used similar methods to reset forgotten passwords on other
web sites. A user is asked to answer personal questions. Later, if the
user can answer the same questions correctly, information is given about
how to reset a forgotten password.
There are two applications associated with Challenge-Response:
- The Enrollment Application is used to initially enroll in Challenge-Response,
to change your Challenge-Response settings, or to cancel enrollment
- The Password Reset Application is used to reset your password online
if you forget it.
How the Challenge-Response Applications Work
Enrollment Application. Log in to the Challenge-Response Enrollment Application using your PennKey and Password
to authenticate. Provide answers to three personal information questions.
You may return to the enrollment application at any time to change your
questions and answers or to cancel your enrollment.
Password Reset Application. If you forget your PennKey password, log in to the Challenge-Response Password Reset Application using the last 4 digits
of your SSN, your date of birth, and your Penn
ID to authenticate. When your three questions are displayed, confirm
your identity by entering exactly the same answers you provided originally.
You will then be linked directly to the PennKey Registration site to reset
Should you forget your answers to the personal information questions,
you can reset your password by using a PennKey Setup Code obtained from PennKey administration stations.
Should I Use Challenge-Response?
Challenge-Response is a good option
- if you want the "anytime, anywhere" convenience of resetting your
- if you travel frequently
- if you think you are likely to forget your password
How Secure Is Challenge-Response?
PennKey Challenge-Response has been designed with an eye towards strong
- It requires correct responses to three separate questions, rather
than just one
- It does not ask questions frequently posed on other sites (such as
"What was your mother's maiden name?")
- It does not request biographical data which could be easily obtained
from other sources (such as "What city were you born in?")
- Passwords are never transmitted as part of the Challenge-Response
process, so they cannot be intercepted.