Introduction to Multi-Factor Authentication

Follow

RealVNC Connect supports multi-factor authentication, to protect your account, your computers and your data wherever you are.

Note that RealVNC Connect has two separate password/authentication systems, so no one credential controls remote access to your computers. You can protect both systems with two or more factors.

Protecting your RealVNC account

We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account

Protecting your remote computers running RealVNC Server

The available authentication schemes for RealVNC Server depend on your subscription

RealVNC Server, which is the application that is installed on the remote devices you want to remotely access, is password-protected out-of-the-box. Authentication is mandatory for all connecting RealVNC Viewer users, without exception, whether connections are cloud or direct.

Depending on your subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.

Understanding the standard RealVNC Server authentication schemes

The standard authentication schemes for your subscription and platform are available from RealVNC Server’s Options > Security page:

Auth_Schemes.png

Authentication scheme Explanation Supported technology
VNC password

RealVNC Viewer users enter the password you specify when you install RealVNC Server (this should be at least 6 case-sensitive characters long, and can include !,@*#&).

 

System authentication
(labelled Windows passwordMac password or UNIX password)

RealVNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer.

Active Directory

Interactive system authentication
(labelled Interactive Mac authentication or Interactive UNIX authentication)

Available on Mac and Linux only

RealVNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). PAM

Single sign-on
Enterprise subscription required

Note, this is not related to SSO for RealVNC cloud accounts

RealVNC Viewer users are transparently authenticated by secure network services, without having to enter a password.

Requires RealVNC Viewer and RealVNC Server to be running on domain joined devices.

Kerberos
Smartcard/certificate store

RealVNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password. 

This scheme can be considered inherently two factors of authentication; the smartcard is something the user owns, and the PIN is something the user knows.

Requires RealVNC Server to be running on a domain joined device.

Yubikey
System authentication + RADIUS authentication RealVNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. RSA SecurID, FreeRADIUS

System authentication
+ Duo authentication 

RealVNC Viewer users enter their user account credentials, and then must authenticate to Duo using text, 2FA code or push notification within the Duo app. Duo

Creating your own custom authentication scheme

Depending on your subscription, you can combine the above authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.

To do this, specify the RealVNC Server Authentication parameter. This parameter is available from RealVNC Server’s Options > Expert page or in bulk or remotely using policy.

To combine schemes, use the + character. For example, the parameter value:

Certificate+SystemAuth+Radius

...mandates that connecting RealVNC Viewer users:

  1. Own a smartcard, and know the PIN.
  2. Know the system credentials (user name and password) of their registered user account.
  3. Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.

A failure at any step terminates the connection.

You can also specify alternative schemes using the , character. For example, the parameter value:

Certificate,SystemAuth

...specifies that connecting RealVNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.

Was this article helpful?
13 out of 40 found this helpful

Comments

0 comments

Article is closed for comments.