PennKey Support

See below for information that is available on the PennKey Support tab.

Details About PennKey

This section shows:

  • The registered PennName
  • The date the PennName was reserved
  • The PennKey
  • The last date the password was reset; if there is text here, instead of a date/timestamp, or comments, this means that a setup code has been issued (and the kerberos credential info not available from kerberos) but the user has not used that setup code to re-establish a working PennKey
  • the email address to which setup code email will be sent, if a setup code is issued "today" (this is general the personal email address from the primary source, but if there is not a personal email address available from that source, there is logic that looks for personal/home email address from other sources)

Details About SSPR Registration

This section shows information about PennKey Self-Service Password Reset (SSPR), if available:

  • SSPR recovery email
  • SSPR recovery phone

If these fields are blank, the user is not enrolled in SSPR. Help them get there!

Details About MFA Enrollment

This section shows information about MFA (multi-factor authentication) enrollment/status:

  • whether a Duo account exists fore this user (Y/N)
  • whether this user is required to use MFA (Y/N)
  • whether this user is enrolled in MFA (Y/N)
  • whether this user has an MFA exception (Y/N)
  • the MFA status from Duo: active, disabled, bypass, no account
  • any MFA notes

A support user will be able view data about the Duo status:

  • View Last Login
  • View MFA Audit Events
  • View MFA Logs
  • View Phone details

A support user will also be able to take certain actions to support a user having difficulties with MFA. These options will only be available after the support user verifies that they have ID-proofed the individual:

  • Aggregate Duo account: selecting this option does a real-time aggregation (update) against Duo
    • "Aggregation" is the new terminology used for the synchronization between Penn Community and another system (source of identities or target system for provisioning). Aggregation is nearly always a "real time" connection to the other system
    • The "Aggregate Duo Account" option could be useful if you are trying to help someone enroll, and you need to see Duo's version of the situation, which may have been updated while you were supporting the user. This option may show you what the user did, right or wrong. If nothing comes back updated, it would suggest that the user hasn't actually had a meaningful Duo interaction.
  • Delete Phone: using this option, after ID proofing, will enable a support user to remove a phone/device (as in, possibly, a stolen or lost phone)
    • Penn recommends that the user do this themselves, if possible; Penn support staff should only use this as a last resort
    • Link to the Duo Device Management Portal: https://upenn.edu/manage-twostep (PennKey login required)
  • Generate Bypass Code: using this option, after ID proofing, will enable a support user to generate a 24-hour emergency bypass code

FAQs

Q. Why are both PennName and PennKey shown?
A. Early usage of PennNames often resulted in a PennName being reserved, and being used for local accounts, while a PennKey was never created. We are showing both here in order to support those people who may have been used to using the PennNames web client in order to look up PennNames where there is no PennKey attached.

Q. What do I do if SSPR recovery email and SSPR recovery phone are blank?
A. Help the user enroll in SSPR; information here: https://pennkeysupport.upenn.edu/recovery-service