We're here if you need help
Introduction to multi-factor authentication¶
VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.
Protecting your RealVNC account¶
We recommend turning on 2-step verification on the Security page of your RealVNC account. You’ll need a convenient mobile device hosting Google Authenticator or a similar TOTP-generating app.
You’ll then enter a unique TOTP code in addition to your account email and password every time you:
- Sign in to your account online.
- Sign in to VNC Server desk-side in order to apply your subscription to a remote computer (if you have device access).
- Sign in to VNC Viewer in order to discover team computers and sync your address book.
Protecting your remote computers running VNC Server¶
Multi-factor authentication for VNC Server is only relevant to device access, and available with a Professional or Enterprise subscription.
VNC Server, installed as part of VNC Connect on each remote computer, is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.
If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.
Understanding the standard VNC Server authentication schemes¶
The standard authentication schemes for your subscription are available from VNC Server’s Options > Security page:
|Authentication scheme||Subscription availability||Explanation||Supported technology|
|VNC password||Enterprise, Professional, Home||Only scheme for Home subscribers. VNC Viewer users enter the password you specify when you install
VNC Server (this should be at least 6 case-sensitive characters long, and can include
|System authentication (labelled Windows password, Mac password or UNIX password)||Enterprise, Professional||Default scheme for Enterprise and Professional subscribers. VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer.|
|Single sign-on||Enterprise||VNC Viewer users are transparently authenticated by secure network services, without having to enter a password.||Kerberos|
|Smartcard/certificate store||Enterprise, Professional||VNC Viewer users are transparently authenticated by an X.509 certificate
they own, stored on a smartcard or authentication token or in a certificate store, without having
to enter a password.
This scheme can be considered inherently two factors of authentication; the smartcard is something the user owns, and the PIN is something the user knows.
|System authentication + RADIUS authentication||Enterprise, Professional||VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server.||Duo, RSA SecureID, FreeRADIUS|
Creating your own custom authentication scheme¶
If you have a Professional or Enterprise subscription, you can combine the standard authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.
To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.
To combine schemes, use the
+ character. For example, the parameter value:
...mandates that connecting VNC Viewer users:
- Own a smartcard, and know the PIN.
- Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
- Know the system credentials (user name and password) of their registered user account.
A failure at any step terminates the connection.
You can also specify alternative schemes using the
, character. For example, the parameter value:
...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.