You can allow users to use challenge response or one time password during forgotten password process. To use any of these verification methods, you need to configure the SSPR settings. For more information about configuring forgotten password settings refer, Configuring Forgotten password and Configuring Forgotten Password for a Profile.
Client Login Extension now supports more secured hashing method. The responses are stored in PBKDF2 hashing method. By default SSPR 3.3 uses the PBKDF2 hashing method.