« Back to docs

Introduction to multi-factor authentication

VNC Connect supports multi-factor authentication, to protect your computers and data wherever you are.

Protecting your RealVNC account

We recommend everyone turns on 2-step verification for their RealVNC account by signing in online and navigating to the Security page. You’ll need a convenient mobile device hosting Authy or a similar TOTP-generating app.

You’ll then have to enter a unique TOTP code in addition to your account email and password every time you:

  • Sign in to your account online.
  • Sign in to VNC Server desk-side in order to apply your subscription to a remote computer (if you have device access).
  • Sign in to VNC Viewer in order to discover team computers and sync your address book.

This protects you should a malicious party guess or learn your account credentials.

If you have an Enterprise subscription and have invited people in to your team to share remote access, each team member has their own RealVNC account. You can mandate that members enable 2-step verification in order to participate in your team. To do this, sign in online and navigate to the General page:

../_images/portal_mandate_2fa.png

Note that requiring everyone includes you, and that the technician option is only available if you have instant support.

Protecting your remote computers running VNC Server

Note

Multi-factor authentication for VNC Server is only available if you a Professional or Enterprise subscription and device access.

VNC Server, installed as part of VNC Connect on each remote computer, is password-protected out-of-the-box. Authentication is mandatory for all connecting VNC Viewer users, without exception, whether connections are cloud or direct.

If you have a Professional or Enterprise subscription, you have a choice of authentication schemes. The standard schemes offer either one or two factors of authentication. If you wish, you can create a custom scheme with as many factors as you need.

Understanding the standard VNC Server authentication schemes

The standard authentication schemes for your subscription and platform are available from VNC Server’s Options > Security page:

../_images/VNC_Server_Options_Dialog_Authentication_Composite.png
Authentication scheme Subscription availability Platform availability Explanation Supported technology
VNC password All All Only scheme for Home subscribers. VNC Viewer users enter the password you specify when you install VNC Server (this should be at least 6 case-sensitive characters long, and can include !,@*#&).  
System authentication (labelled Windows password, Mac password or UNIX password) Enterprise, Professional All Default scheme for Enterprise and Professional subscribers. VNC Viewer users enter the user name and password they normally use to log on to their user account on the remote computer. Active Directory
Interactive system authentication (labelled Interactive Mac authentication or Interactive UNIX authentication) Enterprise, Professional Mac, Linux VNC Viewer users enter the user name they normally use to log on to their user account on the remote computer, and then provide credentials, and/or perform operations, mandated by particular PAM authentication module(s). PAM
Single sign-on Enterprise All VNC Viewer users are transparently authenticated by secure network services, without having to enter a password. Kerberos
Smartcard/certificate store Enterprise, Professional All VNC Viewer users are transparently authenticated by an X.509 certificate they own, stored on a smartcard or authentication token or in a certificate store, without having to enter a password.

This scheme can be considered inherently two factors of authentication; the smartcard is something the user owns, and the PIN is something the user knows.
Yubikey
System authentication + RADIUS authentication Enterprise, Professional All VNC Viewer users enter their user account credentials, and then must authenticate to a RADIUS server. Duo, RSA SecureID, FreeRADIUS

Creating your own custom authentication scheme

If you have a Professional or Enterprise subscription, you can combine the standard authentication schemes in any way you like to create a custom scheme consisting of as many factors as you need.

To do this, specify the VNC Server Authentication parameter. This parameter is available from VNC Server’s Options > Expert page or, if you have an Enterprise subscription, in bulk or remotely using policy.

To combine schemes, use the + character. For example, the parameter value:

Certificate+Radius+SystemAuth

...mandates that connecting VNC Viewer users:

  1. Own a smartcard, and know the PIN.
  2. Can respond to prompts from a RADIUS server, for example for a TOTP code, or via an SMS, phone call or push notification.
  3. Know the system credentials (user name and password) of their registered user account.

A failure at any step terminates the connection.

You can also specify alternative schemes using the , character. For example, the parameter value:

Certificate,SystemAuth

...specifies that connecting VNC Viewer users can choose whether to authenticate using a smartcard, or system credentials. If a smartcard is plugged in to the connecting device, it is preferred. If not, system authentication is mandated.

×