System Users
Access Control Policy
The Access Control Policy field allows you to switch between One Factor Authentication (1FA) which consists of Username and Password authentication (Default) OR Two Factor Authentication (2FA) which consists of Username and Password AND an additional Timed One Time Password (TOTP) generated on your mobile device for additional security.
Please note: Two Factor Authentication is a global setting for ALL system users. Enabling Two Factor Authentication will force ALL system users to register a mobile device for Timed One Time Passsword (TOTP).
Two Factor requires the following pre-requisites before enabling:
- Hermes SEG Outbound E-mail Flow must be working correctly
- ALL System User Accounts must have a valid e-mail address assigned to them. E-mail addresses can be assigned to System Users by navigating to System --> System Users.
- You must have an Authenticator app installed on your mobile device such as FreeOTP, Google Authenticator, Authy etc.
Once you set the Access Control Policy to Two Factor and click the Submit button, the system will IMMEDIATELY prompt you to register your first device. Click the Register device link at the bottom of the screen (Figure 1).
Figure 1
The system will display An email has been sent to your address to complete the process on the upper right-hand corner of the screen (Figure 2).
Figure 2
Check the mailbox of the e-mail address associated with your account and look for an e-mail that contains the subject Register your mobile and click the Register button at the bottom of the e-mail (Figure 3).
Figure 3
You will be taken to the Scan QR Code page. Using the Authenticator app you previously downloaded, scan the QR Code from the page and click the DONE button (Figure 4).
Figure 4
On the following One-Time Password screen enter the passcode generated by your authenticator app (Figure 5).
Figure 5
If everything goes well and you typed in the correct passcode within the allotted time, you should be able to successfully login to Hermes SEG Administration Console.
If you run into a problem and the Two Factor authentication did not work for any reason, you can reset authentication back to One Factor by running the following script from the console with root privileges:
/opt/hermes/scripts/disable_authelia_2fa.sh