Comment 2 for bug 1809252

The VNC password authentication scheme is not extensible. It is unfixably broken by design.

QEMU provides the SASL authentication scheme for VNC which allows for strong authentication, when combined with the VeNCrypt authentication scheme that uses TLS.

These extensions are supported by the gtk-vnc client used by remote-viewer, virt-viewer, virt-manager, GNOME Boxes and more. Other VNC clients are also known to implement VeNCrypt, though SASL support is less wide spread.

From a QEMU POV, there's nothing more we need todo really - any remaining gaps are client side.