Frequently Asked Questions

PennKey FAQ

What is a PennKey and who needs one?

A PennKey is an individual's username and an associated password within the PennKey authentication system. A PennKey is required to authenticate your identity and access many of Penn's online resources. 

University of Pennsylvania faculty, staff, students, and alumni; employees of the University of Pennsylvania Health System; and sponsored guests (individuals with an official business need for accessing restricted Penn resources) are eligible for a PennKey. Some examples of sponsored guests include consultants, volunteers, visiting scholars, and course auditors.

How do I get a PennKey?

How you get a PennKey depends on your affiliation with the University. For example, the process for incoming students is fully automated. PennKeys for guests and temporary affiliates are initiated by the sponsoring department, center or school. 

What should students, faculty, and staff who don't have a U.S. Social Security Number (SSN) enter when the last four digits of their SSN are requested on a PennKey registration logon screen?

They should enter the last four digits of the 9-digit identifier (ID) they received from the University. This ID takes the form xxx-xx-xxxx and is variously referred to as a Student ID, a Federal Taxpayer ID, and a Penn-assigned SSN. Students typically receive this identifier from their admitting program office, while faculty and staff receive it from their business administrator.

Newly admitted students who did not provide a U.S. SSN with their application are also issued a Penn-assigned SSN to use during PennKey registration. 

Can I change my PennKey username after I register it?

Your PennKey username can be changed only under the following circumstances:

  • A legal name change
  • A PennName is deemed offensive to the Penn community
  • Reported email harassment or threats that warrant a change

Provided that you meet one of the criteria above, to initiate a request for a PennName change, contact the IT support staff of your school or center. Please note that if your PennKey username changes, so will your username on all other systems that are based on your PennKey username such as your email account name.

I've forgotten my PennKey username! What do I do now?

If you can't remember your PennKey username, contact the PennKey support group for assistance.

How long will my PennKey stay active?

PennKeys generally do not expire but they may become inactive. An active PennKey alone does not grant access to PennKey-protected services. Authorization (access or eligibility to use a service) is determined by the owners of individual services and may change or be terminated if your University affiliation or status changes.

Your PennKey alone doesn't authorize you to use campus computers or resources services. It only proves your identity. Authorization is the service owner's decision. For example, say that you change jobs within Penn. Previously, you had access to departmental financial data via BEN Reports, but that's not part of your new job. You'll still be able to use your PennKey for authorized services like Workday, but you won't be able to access the financial data you previously were authorized to access. 

What are PennKey Setup Codes, and how do they work?

PennKey Setup Codes are temporary identifiers used to log in to the PennKey Registration application. A Setup Code expires once it's been used or 30 days from the issue date, whichever comes first. It cannot be resused. A Setup Code can be used to (1) register a new PennKey, or (2) reset a PennKey password if you have forgotten it.

How do I get another Setup Code if I lose mine or it expires?

You can always get a replacement Setup Code by contacting PennKey Support or visiting a PennKey Administration Station. Note that once you request another Setup Code by any means, the previously requested Setup Code becomes invalid.

When I try to create a password, it gets rejected because it supposedly contains a dictionary word, though I don't think it does. What's going on?

"Dictionary" does not simply mean a standard English language dictionary -- it also includes foreign language dictionaries and all kinds of specialized dictionaries that hackers use to crack passwords.

What is the Self-Service Password Reset application?

Self-Service Password Reset (SSPR) is Penn’s modern, secure, easy-to-use app for resetting your PennKey password – using only your pre-registered personal (non-Penn) email address and cell phone number.

I've forgotten my PennKey password. What should I do?

You will need to reset it -- no one can retrieve a forgotten password for you. If you previously enrolled in SSPR, you can reset your password online instantly. Otherwise, you need to obtain a new Setup Code.

I know my PennKey password but would like to change it. How do I do it?

You can reset your password to something that you prefer by using the Self-Service Password Reset (SSPR) if you know your existing PennKey password.

I think somebody “stole” or found out my PennKey password. What should I do?

If you believe that your PennKey password has been compromised, contact the Office of Information Security at security@isc.upenn.edu  or by calling 215-898-1000. They can immediately issue a Setup Code against your PennKey that will effectively “freeze” your PennKey until you can obtain a Setup Code to reset your password. If you believe that any criminal activity has taken place or will take place, it is strongly recommended that you contact Penn Public Safety at 511 (on-campus) or 215-573-3333.

I'm able to access most things that require PennKey (Path@Penn, Canvas, etc.), but cannot access some of the Library resources I need. What's wrong?

If you are having trouble accessing Library resources, visit any Library Circulation Desk and consult with Library staff. Note that not all Penn affiliates are authorized to access Library electronic resources. For more information, visit the Penn Libraries Electronic Resources website. 

How can I tell if my PennKey works?

Try the Test My PennKey application. If you can authenticate successfully in that application, your PennKey username and password are functioning properly.

I verified my PennKey using the Test My PennKey application, but I still can't access a PennKey-protected online resource. What do I do?

If the service uses PennKey authentication, report your access problem to the service or application owner. Your login problem may be specific to that service rather than being a PennKey problem.

What do I do if I need help but can't contact PennKey Support through the website?

Eligible affiliates of the University can visit a PennKey Administration Station on campus with the required photo identification

 

Two-Step Verification (Duo) FAQ

Why is Penn requiring me to enroll in Two-Step Verification?

Penn is requiring most people (by affiliation) to enroll in Two-Step Verification in order to protect University information assets and community members’ personal information. Some applications require Two-Step Verification for all users of the service regardless of affiliation. Many of Penn’s peer institutions have already implemented Two-Step, as have banks, financial services providers and companies such as Apple and Google. As more and more of the University’s interactions with its students, faculty, staff, and alumni occur over web-based applications, the need to protect your data from those with criminal intent or a personal grudge is continually increasing.

Password-related security breaches are happening with increasing frequency all over the world. When such breaches occur, users’ passwords and other personal information are then sold to other hackers, or even simply released openly to the world. Considering that users frequently re-use passwords at multiple websites, the security provided by a simple password becomes weaker each year.

In short, relying on passwords to protect our personal and organizational security is not sufficient. We must take steps to improve the security posture of both the University as a whole and you, our individual users.

How do I enroll in Two-Step Verification?

Consult the Two-Step Verification: Getting Started page for quick instructions on how to enroll. For detailed, step-by-step instructions including screenshots, see Two-Step Verification: Enrollment Instructions.

Will I need to use Two-Step every time I log into a PennKey-protected website?

If you are required to use Two-Step, all Penn web resources that prompt you for PennKey and password will require Two-Step Verification. However, if you confirm "Yes, this is my device" during Duo verification, you will not be prompted again for 60 days if you are using the same browser and device.

Will I need to use Two-Step to log in to AirPennNet or my desktop?

No. At this time, Two-Step is only required for resources accessed through Penn’s WebLogin system. Currently, the following resources do NOT use Two-Step:

  • AirPennNet – While AirPennNet does use your PennKey, it does not require Two-Step.
  • Your Penn desktop/laptop computer–these are not integrated with WebLogin and do not use Two-Step.
  • Any web-based application that does not use the Penn WebLogin page is not affected.

What is Duo Mobile?

Duo Mobile is an application that allows you to use your Android or iOS device for Two-Step Verification. Duo Mobile is free to download and use.

Duo Mobile is simple to set up and provides two options for completing your second login step.

  • Use Duo Push to automatically receive a push notification on your device when you log in. You only need to press “Approve” on your device to complete the login. After you press “Approve,” your web browser automatically detects the approval and completes the login without any further action from you. You can select Duo Push as your primary verification method during the enrollment process.
  • Open the Duo Mobile app on your iOS or Android device to generate a single-use verification code, and then enter that code. Codes are generated by the app without requiring a connection to the Two-Step servers. No Wi-Fi or cellular data connection is required.

What are the different methods and devices for logging in with Two-Step?

For the best user experience, Penn recommends using Duo Mobile on your iOS or Android device.

After enrolling in Two-Step, you’ll continue to log in with your PennKey and password in your web browser and then will use a device in your possession to complete the second step of the log-in process.

You can select your primary and back up verifications methods during the enrollment process. Options include:

  • Install the Duo Mobile app on your Android or iOS phone or other device in order to receive Duo Push notifications that you tap and approve or generate single-use verification codes to enter in your browser.
  • Receive a text message with a single-use verification code on your mobile phone and enter the code into your browser (No smartphone required).
  • Receive an automated phone call on your mobile phone or landline. (No smartphone required)
  • Use a Duo fob acquired from the Tech Center to generate a single-use verification code to enter into your browser.
  • Use a Security Key purchased separately.

How do the different login options work? How do I choose which one to use?

There are two main considerations for choosing a verification method:

  1. The devices to which you have access.
  2. Whether or not you’re connected to a Wi-Fi or cellular data network.

For information on the different methods and devices for logging in with Two-Step, see the Login Options page.

What are my back-up options for Two-Step? How do I log in if I don't have access to my Two-Step device?

If you don’t have access to your primary and back up Two-Step devices, and need to access a PennKey-protected resource, contact PennKey Support.

I travel a lot. What's my best option in areas where cellular or Wi-Fi service is unreliable or insecure?

Two-Step allows you to securely access your data from anywhere in the world – even if your Two-Step verification device isn’t connected to Wi-Fi or a cellular network. The Duo app on your device can generate verification codes without a real-time Wi-Fi or cellular connection.

If you travel frequently, consider purchasing a Security Key (YubiKey and Feitian supported).

To add, rename, or delete devices, visit: https://upenn.edu/manage-twostep.

For additional information, see the "Two-Step Verification: Before you travel" resource article.

I'm interested in purchasing a Security Key. What kind should I get?

Duo recommends Security Key products from YubiKey and Feitian. All products recommended below will work on Penn’s Duo implementation.

For YubiKey, use their quiz to answer questions to get a recommendation on the optimal YubiKey product that best suits your needs.

For Feitian, review their product listing for Security Keys to select the best FIDO Security Key product for you.

I am a faculty member. What should I do about teaching with Two-Step Verification?

NOTE: Some classroom PCs at Penn allow a user’s data to remain on the machine after logout. Other classroom PCs are configured to erase that data immediately upon user logout.

  • If you’re teaching in a classroom where the PC allows user data to remain after logout (or if you teach using your own computer) you will only need to perform Two-Step Verification on that PC the first time you log in. After that, Two-Step will remain valid for you on that browser for 60 days.
  • In many of Penn’s shared classrooms, the room PC is configured to erase each user’s activity immediately after logoff from the machine. In those rooms, Two-Step will be required when lecturers sign in with their PennKey at the start of the class.
  • If you’re teaching in a classroom with no Wi-Fi or cellular connectivity, you can still use Two-Step. The Duo app on your device can generate  verification codes without a real-time Wi-Fi or cellular connection.

How do I manage my Two-Step Verification, including changing my verification methods or updating my information?

You can manage your Two-Step account at any time by going to the Duo Device Management Portal: https://upenn.edu/manage-twostep. From here, you can add, rename, or delete devices.

I see my phone number listed in the Duo Device Management Portal, but when I try to edit it, I only have Rename and Delete options. Why can't I change my phone number?

When you click Edit on your phone number's listing, you're editing only the label for your phone number (e.g., a descriptive label such as phone or My Mobile). Use the Add a device option instead (for details, see Two-Step Verification: Configuring a Replacement Phone).

I’m enrolled in Two-Step. What should I do if I get a new phone?

If you’re already enrolled in Two-Step and get a replacement phone, you will need to configure a new Duo Mobile profile for your replacement phone. See Two-Step Verification: Configuring a Replacement Phone for step-by-step instructions.

Do I need to re-register my Duo Mobile device for Two-Step if I change my cellphone number/SIM card?

I’m already enrolled in Two-Step. Do I need to enroll again?

No. All currently enrolled users and their devices will continue to work. However, we recommend you consider switching to Duo Mobile and using Duo Push notifications for the most convenient Penn Two-Step experience. If you are currently using another method for Penn Two-Step Verification and would like to continue using it, you may do so.

In the Duo Device Management Portal, I see Hardware Token items marked as HOTP and TOTP. What are these and can I delete them?

Users who used Penn's Two-Step Verification prior to November 14, 2023 may see Hardware Token options in their Duo Device Management Portal starting with "HOTP" or "TOTP." These tokens relate to legacy authentication methods, most of which are no longer supported. If you are not actively using any legacy Google Authenticator tokens, it is safe to delete these Hardware Tokens.