This article provides the steps for a basic set up with RealVNC Server to require 2FA for all connections. This is achieved using RealVNC Server's native Duo authentication which was added in RealVNC Server 7.1.0.
Missing the Duo authentication option in RealVNC Server?
Native Duo authentication is only available on certain subscription plans. If you do not see an option for Duo authentication in the Authentication dropdown in RealVNC Server's Options after installing RealVNC Server 7.1.0 or later, please contact our Sales team to discuss adding native Duo to your subscription.
Please note that RealVNC cannot provide support for configuration of Duo. For help with Duo, please contact Duo.
Part 1 - Duo Account, Duo Application and Duo Users
Sign up for a Duo account
- Sign up for a Duo account: https://signup.duo.com/
- After you have verified your account you will be prompted to set a password and (optionally) enable Duo Push for admin access. Complete these steps and you will be taken to the Admin Dashboard
Add DUO Auth API as a Protected Application
- In the Admin Dashboard, click Applications, then click Protect an Application
- Search for DUO Auth API (may also appear as Partner Auth API) and click Protect.
- On the next screen, you will be shown an Integration key, Secret key, and API hostname.
You can rename the application by going to Applications, select DUO Auth API, scroll down to Settings and enter a new name (e.g. 'VNC Connect').
- In the Admin Dashboard, click Users, then click Add User
- Enter the username of the user to add
This should match the username you use when connecting to VNC Server
- Fill in your full name and email address and click Save Changes
- At the top, click Send Enrolment Email and then Log Out of Duo Admin by clicking your name in the top right corner
- Click the link in the enrolment email once you have received it
- Follow the on-screen prompts to complete enrolment process by installing Duo Mobile on your Android/iOS device
Part 2 - RealVNC Server
- Open RealVNC Server from the start menu or tray icon. Open the menu (three horizontal lines) and select 'Options'.
- Go to Security > Authentication and select Windows password + Duo authentication. Then select Set up VNC Server for Duo...
- Enter your Integration key, Secret key, and API hostname. You will have generated these when adding DUO Auth API as a Protected Application.
- Click OK and then Apply.
Part 3 - RealVNC Viewer
- Enter your credentials for RealVNC Server
- Select your preferred method of authentication and select 'OK'. You will then be prompted to accept/reject the request on your Duo device(s).
If the username you log into RealVNC Server with is different from the email address used to set up Duo, you will need to add the username as an Alias. You can do this by signing into your Duo account, clicking User, selecting Add username alias, entering your username, and saving the change.
Configuring native Duo using Group Policy
After following the instructions in Part 1 (Duo Account, Duo Application, Duo Users), download and install the latest Group Policy ADMX templates.
In the Group Policy Editor, set the Authentication parameter to "SystemAuth+Duo". Then, set the DuoCredentials parameter as shown below:
The Integration key, Secret key and API hostname will be found on the Duo online Admin Dashboard; insert them into the web address to be used as the value for the DuoCredentials parameter.