RealVNC Connect supports multi-factor authentication, to protect your account, your computers and your data wherever you are.
Note that RealVNC Connect has two separate password/authentication systems, so no one credential controls remote access to your computers. You can protect both systems with two or more factors.
Protecting your RealVNC account
We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account
Protecting your remote computers running RealVNC Server
The available authentication schemes for RealVNC Server depend on your subscription
RealVNC Server, which is the application that is installed on the remote devices you want to remotely access, is password-protected out-of-the-box. Authentication is mandatory for all connecting RealVNC Viewer users, without exception, whether connections are cloud or direct.
Depending on your subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.
Understanding the standard RealVNC Server authentication schemes
The standard authentication schemes for your subscription and platform are available from RealVNC Server’s Options > Security page:
Authentication scheme | Explanation | Supported technology |
---|---|---|
VNC password |
RealVNC Viewer users enter the password you specify when you install RealVNC Server (this should be at least 6 case-sensitive characters long, and can include |
|
System authentication |
RealVNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer. |
Active Directory |
Interactive system authentication Available on Mac and Linux only |
RealVNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). | PAM |
Single sign-on |
RealVNC Viewer users are transparently authenticated by secure network services, without having to enter a password. Requires RealVNC Viewer and RealVNC Server to be running on domain joined devices. |
Kerberos |
Smartcard/certificate store |
RealVNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password. Requires RealVNC Server to be running on a domain joined device. |
Yubikey |
System authentication + RADIUS authentication | RealVNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. | RSA SecurID, FreeRADIUS |
System authentication |
RealVNC Viewer users enter their user account credentials, and then must authenticate to Duo using text, 2FA code or push notification within the Duo app. | Duo |
Creating your own custom authentication scheme
Depending on your subscription, you can combine the above authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.
To do this, specify the RealVNC Server Authentication parameter. This parameter is available from RealVNC Server’s Options > Expert page or in bulk or remotely using policy.
To combine schemes, use the +
character. For example, the parameter value:
Certificate+SystemAuth+Radius
...mandates that connecting RealVNC Viewer users:
- Own a smartcard, and know the PIN.
- Know the system credentials (user name and password) of their registered user account.
- Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
A failure at any step terminates the connection.
You can also specify alternative schemes using the ,
character. For example, the parameter value:
Certificate,SystemAuth
...specifies that connecting RealVNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.
Comments
Article is closed for comments.