RealVNC Connect supports multi-factor authentication, to protect your account, your computers and your data wherever you are. You can protect both systems with two or more factors.
Protecting your RealVNC account
We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account
Protecting your remote computers running RealVNC Server
The available authentication schemes for RealVNC Server depend on your subscription.
RealVNC Server, which is the application that is installed on the remote devices you want to remotely access, is password-protected out-of-the-box. Authentication is mandatory for all connecting RealVNC Viewer users, without exception, whether connections are cloud or direct.
Depending on your subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.
Understanding the standard RealVNC Server authentication schemes
The standard authentication schemes for your subscription and platform are available from RealVNC Server’s Options > Security page:
| Authentication scheme | Explanation | Supported technology |
|---|---|---|
| VNC Device Password | RealVNC Viewer users enter the password you specify when you install RealVNC Server (this should be at least 6 case-sensitive characters long, and can include !,@*#&). See Creating and using a secure password
|
|
|
System Authentication (labelled Windows password, Mac password or UNIX password) |
RealVNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer. | Active Directory |
|
Interactive System Authentication Available on Mac and Linux only |
RealVNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). | PAM |
|
Single Sign-On (SSPI/GSSAPI) Enterprise subscription required Note, this is not related to Account SSO for RealVNC Accounts |
RealVNC Viewer users are transparently authenticated by secure network services, without having to enter a password. Requires RealVNC Viewer and RealVNC Server to be running on domain joined devices. |
Kerberos |
|
Single Sign-On (IdP via RealVNC services) Enterprise subscription required |
Cloud SSO Authentication lets users who are signed in to RealVNC Connect with Single Sign-On (SSO) via Microsoft Entra ID authenticate transparently when connecting to a remote computer running RealVNC Server. | Entra ID via RealVNC services |
|
Smartcard/Certificate store (labelled Certificate) |
RealVNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password. Requires RealVNC Server to be running on a domain joined device. |
Yubikey |
| System authentication + RADIUS authentication | RealVNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. | RADIUS |
| System authentication + Duo authentication |
RealVNC Viewer users enter their user account credentials, and then must authenticate to Duo using text, 2FA code or push notification within the Duo app. | Duo |
Creating your own custom authentication scheme
Depending on your subscription, you can combine the above authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.
To do this, specify the RealVNC Server Authentication parameter. This parameter is available from RealVNC Server’s Options > Expert page or in bulk or remotely using policy.
To combine schemes, use the + character. For example, the parameter value:
Certificate+SystemAuth+Radius
...mandates that connecting RealVNC Viewer users:
- Own a smartcard, and know the PIN.
- Know the system credentials (user name and password) of their registered user account.
- Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
A failure at any step terminates the connection.
You can also specify alternative schemes using the , character. For example, the parameter value:
Certificate,SystemAuth
...specifies that connecting RealVNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.
Comments
Article is closed for comments.