Introduction to Multi-Factor Authentication

Follow

VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.

Protecting your RealVNC account

We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account

Protecting your remote computers running VNC Server

*Multi-factor authentication for VNC Server is only available if you a Professional or Enterprise subscription and device access.

VNC Server, installed as part of VNC Connect on each remote computer, is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.

If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.

Understanding the standard VNC Server authentication schemes

The standard authentication schemes for your subscription and platform are available from VNC Server’s Options > Security page:

VNC_Server_Options_Dialog_Authentication_Composite.png

Authentication scheme Explanation Supported technology
VNC password

VNC Viewer users enter the password you specify when you install VNC Server (this should be at least 6 case-sensitive characters long, and can include !,@*#&).

This is the only scheme available for Home subscriptions.

 

System authentication
(labelled Windows passwordMac password or UNIX password)

VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer.

This is the default scheme for Enterprise and Professional subscriptions.

Active Directory

Interactive system authentication
(labelled Interactive Mac authentication or Interactive UNIX authentication)

Available on Mac and Linux only

VNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). PAM

Single sign-on
Enterprise subscription required

VNC Viewer users are transparently authenticated by secure network services, without having to enter a password.

Requires VNC Viewer and VNC Server to be running on domain joined devices.

Kerberos
Smartcard/certificate store

VNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password. 

This scheme can be considered inherently two factors of authentication; the smartcard is something the user owns, and the PIN is something the user knows.

Requires VNC Server to be running on a domain joined device.

Yubikey
System authentication + RADIUS authentication VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. Duo, RSA SecurID, FreeRADIUS

Creating your own custom authentication scheme

If you have a Professional or Enterprise subscription, you can combine the above authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.

To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.

To combine schemes, use the + character. For example, the parameter value:

Certificate+Radius+SystemAuth

...mandates that connecting VNC Viewer users:

  1. Own a smartcard, and know the PIN.
  2. Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
  3. Know the system credentials (user name and password) of their registered user account.

A failure at any step terminates the connection.

You can also specify alternative schemes using the , character. For example, the parameter value:

Certificate,SystemAuth

...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.

Was this article helpful?
9 out of 28 found this helpful

Comments

0 comments

Please sign in to leave a comment.