VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.
Protecting your RealVNC account
We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account
Protecting your remote computers running VNC Server
*Multi-factor authentication for VNC Server is only available if you a Professional or Enterprise subscription and device access.
VNC Server, installed as part of VNC Connect on each remote computer, is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.
If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.
Understanding the standard VNC Server authentication schemes
The standard authentication schemes for your subscription and platform are available from VNC Server’s Options > Security page:
| Authentication scheme | Explanation | Supported technology |
|---|---|---|
| VNC password |
VNC Viewer users enter the password you specify when you install VNC Server (this should be at least 6 case-sensitive characters long, and can include This is the only scheme available for Home subscriptions. |
|
|
System authentication |
VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer. This is the default scheme for Enterprise and Professional subscriptions. |
Active Directory |
|
Interactive system authentication Available on Mac and Linux only |
VNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). | PAM |
|
Single sign-on |
VNC Viewer users are transparently authenticated by secure network services, without having to enter a password. Requires VNC Viewer and VNC Server to be running on domain joined devices. |
Kerberos |
| Smartcard/certificate store |
VNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password. Requires VNC Server to be running on a domain joined device. |
Yubikey |
| System authentication + RADIUS authentication | VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. | Duo, RSA SecurID, FreeRADIUS |
Creating your own custom authentication scheme
If you have a Professional or Enterprise subscription, you can combine the above authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.
To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.
To combine schemes, use the + character. For example, the parameter value:
Certificate+Radius+SystemAuth
...mandates that connecting VNC Viewer users:
- Own a smartcard, and know the PIN.
- Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
- Know the system credentials (user name and password) of their registered user account.
A failure at any step terminates the connection.
You can also specify alternative schemes using the , character. For example, the parameter value:
Certificate,SystemAuth
...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.
Comments
Please sign in to leave a comment.