You can allow users to use challenge response or one time password during forgotten password process. To use any of these verification methods, you need to configure the SSPR settings. For more information about configuring forgotten password settings refer, Configuring Forgotten Password Module.
Client Login Extension now supports more secured hashing methods. The responses are stored in PBKDF2WithHmacSHA512 hashing method. By default, SSPR 4.2 uses the PBKDF2WithHmacSHA512 hashing method.