# System Users The **System Users** screen allows you to create, add and delete System Users (**Figure 1**). **Figure 1** [![image-1637977280616.png](https://docs.deeztek.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637977280616.png)](https://docs.deeztek.com/uploads/images/gallery/2021-11/image-1637977280616.png) By default, Hermes SEG comes pre-configured with the the **System User** account with the following default credentials: - **Username:** admin - **Password:** ChangeMe2! #### Create System User If you wish to create a new System User, click the **Create System User** button on top of the screen (**Figure 2**). **Figure 2** [![image-1637977567602.png](https://docs.deeztek.com/uploads/images/gallery/2021-11/scaled-1680-/image-1637977567602.png)](https://docs.deeztek.com/uploads/images/gallery/2021-11/image-1637977567602.png) You will be directed to the **Edit System User** screen where the system has already pre-filled the **Username**, **E-Mail Address**, **First Name** and **Last Name** fields. The **Access Control Policy** field has been set to **One Factor**, the **Set User Password** field has been set to **YES** and the **Check Password Against haveibeenpwned.com** has been set to **YES**. Adjust fields as necessary, enter a password in the **User Password** field and click the **Submit** button (**Figure 3**). **Figure 3** [![image-1638020865501.png](https://docs.deeztek.com/uploads/images/gallery/2021-11/scaled-1680-/image-1638020865501.png)](https://docs.deeztek.com/uploads/images/gallery/2021-11/image-1638020865501.png) #### Access Control Policy The Access Control Policy field allows you to switch between **One Factor** Authentication (1FA) which consists of Username and Password authentication (Default) OR **Two Factor** Authentication (2FA) which consists of Username and Password AND an additional **Timed One Time Password** (TOTP) generated on your mobile device for additional security. Two Factor requires the following pre-requisites before enabling: - Hermes SEG Outbound E-mail Flow must be working correctly - The System User Account you enable Two Factor authentication must have a valid e-mail address. - You must have an Authenticator app installed on your mobile device such as [FreeOTP](https://freeotp.github.io), [Google Authenticator](https://play.google.com/store/apps/details?id=com.google.android.apps.authenticator2), [Authy](https://authy.com/download/) etc. Once you set the **Access Control Policy** to **Two Factor** and click the **Submit** button, logout and then log back in with the same System User you enabled Two Factor authentication. After successfully authenticating, the system will prompt to register your mobile device. Click the **Register device** link on the One-Time Password screen (**Figure 4**). **Figure 4** [![image-1635449972196.png](https://docs.deeztek.com/uploads/images/gallery/2021-10/scaled-1680-/image-1635449972196.png)](https://docs.deeztek.com/uploads/images/gallery/2021-10/image-1635449972196.png) The system will display **An email has been sent to your address to complete the process** on the upper right-hand corner of the screen (**Figure 5**). **Figure 5** [![image-1635450273072.png](https://docs.deeztek.com/uploads/images/gallery/2021-10/scaled-1680-/image-1635450273072.png)](https://docs.deeztek.com/uploads/images/gallery/2021-10/image-1635450273072.png) Check the mailbox of the e-mail address associated with your account and look for an e-mail that contains the subject **Register your mobile** and click the **Register** button at the bottom of the e-mail (**Figure 6**). **Figure 6** [![image-1635450744160.png](https://docs.deeztek.com/uploads/images/gallery/2021-10/scaled-1680-/image-1635450744160.png)](https://docs.deeztek.com/uploads/images/gallery/2021-10/image-1635450744160.png) You will be taken to the **Scan QR Code** page. Using the Authenticator app you previously downloaded and installed on your mobile device, scan the QR Code from the page and click the **DONE** button (**Figure 7**). **Figure 8** [![image-1635451176940.png](https://docs.deeztek.com/uploads/images/gallery/2021-10/scaled-1680-/image-1635451176940.png)](https://docs.deeztek.com/uploads/images/gallery/2021-10/image-1635451176940.png) On the following **One-Time Password** screen enter the passcode generated by your authenticator app (**Figure 9**). **Figure 9** [![image-1635452032741.png](https://docs.deeztek.com/uploads/images/gallery/2021-10/scaled-1680-/image-1635452032741.png)](https://docs.deeztek.com/uploads/images/gallery/2021-10/image-1635452032741.png) If everything goes well and you typed in the correct passcode within the allotted time, you should be able to successfully login to **Hermes SEG Administration Console**. If you run into a problem and the Two Factor authentication did not work for any reason, you can reset authentication back to One Factor by running the following script from the console with root privileges: ``` /opt/hermes/scripts/disable_authelia_2fa.sh ``` #### Passwords Hermes SEG implements the following [NIST 800-63](https://pages.nist.gov/800-63-3/sp800-63-3.html) Password Guidelines: - 8 character minimum password. - 64 character maximum password. - Able to check against known breached passwords via the use of the [haveibeenpwned.com](https://haveibeenpwned.com) API. - Implementation of Multifactor Authentication via the use of [Time-Based One-Time Password (TOTP)](https://infogalactic.com/info/Time-based_One-time_Password_Algorithm) , [Duo Security](https://duo.com) and [Webauthn](https://www.yubico.com/authentication-standards/webauthn/) Security Keys. - Passwords are hashed with the [Argon2 KDF](https://infogalactic.com/info/Argon2).