VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.
Protecting your RealVNC account
We recommend everyone turns on 2-step verification for their RealVNC account. See How do I set up 2-step authentication for my RealVNC account
Protecting your remote computers running VNC Server
*Multi-factor authentication for VNC Server is only available if you a Professional or Enterprise subscription and device access.
VNC Server, installed as part of VNC Connect on each remote computer, is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.
If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.
Understanding the standard VNC Server authentication schemes
The standard authentication schemes for your subscription and platform are available from VNC Server’s Options > Security page:
|Authentication scheme||Subscription availability||Platform availability||Explanation||Supported technology|
|VNC password||All||All||Only scheme for Home subscribers. VNC Viewer users enter the password you specify when you install VNC Server (this should be at least 6 case-sensitive characters long, and can include
(labelled Windows password, Mac password or UNIX password)
|Enterprise, Professional||All||Default scheme for Enterprise and Professional subscribers. VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer.||Active Directory|
|Interactive system authentication(labelled Interactive Mac authentication or Interactive UNIX authentication)||Enterprise, Professional||Mac, Linux||VNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s).||PAM|
|Single sign-on||Enterprise||All||VNC Viewer users are transparently authenticated by secure network services, without having to enter a password.||Kerberos|
|Smartcard/certificate store||Enterprise, Professional||All||VNC Viewer users are transparently authenticated by an X.509 digital certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password.
This scheme can be considered inherently two factors of authentication; the smartcard is something the user owns, and the PIN is something the user knows.
|System authentication + RADIUS authentication||Enterprise, Professional||All||VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server.||Duo, RSA SecurID, FreeRADIUS|
Creating your own custom authentication scheme
If you have a Professional or Enterprise subscription, you can combine the standard authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.
To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.
To combine schemes, use the
+ character. For example, the parameter value:
...mandates that connecting VNC Viewer users:
- Own a smartcard, and know the PIN.
- Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
- Know the system credentials (user name and password) of their registered user account.
A failure at any step terminates the connection.
You can also specify alternative schemes using the
, character. For example, the parameter value:
...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.