« Back to docs

Introduction to multi-factor authentication

VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.

Protecting your RealVNC account

We recommend turning on 2-step verification on the Security page of your RealVNC account. You’ll need a convenient mobile device hosting the Google Authenticator app.

You’ll then enter a unique TOTP code generated by Google Authenticator in addition to your account email and password every time you:

  • Sign in to your account online.
  • Sign in to VNC Server desk-side in order to apply your subscription to a remote computer.
  • Sign in to VNC Viewer in order to discover team computers and sync your address book.

Protecting your remote computers running VNC Server

Note

Multi-factor authentication is only available if you have a Professional or Enterprise subscription.

VNC Server is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.

If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.

Understanding the standard VNC Server authentication schemes

The standard authentication schemes for your subscription are available from VNC Server’s Options > Security page:

_images/VNC_Server_Options_Dialog_Authentication_Composite.png
Authentication scheme Subscription availability Explanation Supported technology
VNC password Enterprise, Professional, Home Only scheme for Home subscribers. VNC Viewer users enter the password you specify when you install VNC Server (this should be at least 6 case-sensitive characters long, and can include !,@*#&).  
System authentication (labelled Windows password, Mac password or UNIX password) Enterprise, Professional Default scheme for Enterprise and Professional subscribers. VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer.  
Single sign-on Enterprise VNC Viewer users are transparently authenticated by secure network services, without having to enter a password. Kerberos
Smartcard/certificate store Enterprise, Professional VNC Viewer users are transparently authenticated by an X.509 certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password.

This scheme is considered two factor authentication on its own; the smartcard is something the user owns, and the PIN is something the user knows.
Yubikey
System authentication + RADIUS authentication Enterprise, Professional VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. Duo, RSA SecureID, FreeRADIUS

Creating your own custom authentication scheme

If you have a Professional or Enterprise subscription, you can combine the standard authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.

To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.

To combine schemes, use the + character. For example, the parameter value:

Certificate+Radius+SystemAuth

...mandates that connecting VNC Viewer users:

  1. Own a smartcard, and know the PIN.
  2. Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
  3. Know the system credentials (user name and password) of their registered user account.

A failure at any step terminates the connection.

You can also specify alternative schemes using the , character. For example, the parameter value:

Certificate,SystemAuth

...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.

×