Zoom Security Enhancements: Passcode and Waiting Room 19 July 2020

To continue with enhancing Zoom security and to ensure all meetings can only be used by the intended participants, Zoom from 19th July 2020 will require ALL Zoom meetings to have EITHER a Passcode or Waiting Room enabled. This will apply globally to all users (Basic/Licensed/On-prem) on paid accounts and managed domains. The default, if no action is taken, is any meeting without Passcode or Waiting Room, will have the Waiting Room feature activated.

For more details, please visit the Zoom Support page for the FAQ document.

NOTE: Zoom is changing the meeting "password" term to "passcode" to make the distinction between them because passcodes are to be shared with invited meeting participants while passwords are not to be shared as it is the term referred to account login credentials.

  • Meetings protected by a Passcode prevent strangers joining unless they have knowledge of both the Meeting ID and Passcode. The Meeting URL changes and becomes longer, embedding the passcode in a single URL so intended users can still join with one click. The invitation for any existing scheduled meetings, once a Passcode is added, must be re-distributed to all attendees as the URL will change. Passcodes can be embedded in the dial string for H.323/SIP video room systems using pre-scheduled connections. They can also be made optional or mandatory for phone dial in users. Passcodes are recommended as best practice for all new meetings.
  • Meetings protected by a Waiting Room rely on the host (or co-host or Alternative Host) to admit people in to the meeting. The Meeting invitation URL does not change when Waiting Room is enabled. However if the host doesn’t sign-in and join, the meeting doesn’t start. A setting is available (at Account, Group, or User levels) to allow participants from the same organisation as the host and who are signed in to Zoom, to skip the Waiting Room and enter directly – a form of trusted user. Zoom Rooms from the same organisation as the hosts account, automatically become a defacto host and can admit participants if the host user hasn’t yet joined. A meeting protected by Waiting Room is less secure than those using a passcode, as unknown people can still connect (at least as far as the waiting room) by randomly typing in a Zoom meeting ID. 

Meetings that are already scheduled and protected with Passcode and/or Waiting Room, will be unaffected on 19th July 2020. 

Recommended Best Practices

We recommend Zoom Account Owners and Admins consider, action and communicate with their users in line with

  1. Voluntarily adopting Passcodes where possible. See note 2 to enforce Passcode on all newly scheduled meetings. It should be noted that enforcing Passcodes on all existing meetings in a large organisation is difficult, as it will require the Join URL for all existing scheduled meetings to be re-issued (via Outlook, the LMS, etc - wherever it has been published). Voluntary adoption may be simpler. Users should review the future meetings they own, activate a passcode, and redistribute the meeting invitation.
  2. Activate ‘Require a Passcode when scheduling new meetings’. We recommend enabling at the Account Settings level (ie. All users) and ideally locking so that all new meetings scheduled will use a passcode.
  3. Review any LMS, Timetabling and other integrations that schedule Zoom meetings so they activate a passcode when scheduling (or lock it on in Account Settings).
  4. Consider ‘Waiting Room’ default options at the Account Settings level. Many organisations may wish to set the default such that only external participants (guests) get placed into a Waiting Room while users in the same organisations/account can bypass the Waiting Room. Users on your account need to be signed in to Zoom when joining meetings for this bypass option to work. You can customize the Waiting Room experience with an approved list of domains that can bypass the Waiting Room and directly join the meeting. WARNING: when enabling "Waiting Room" at Account Settings, this will enable Waiting Room on ALL (including existing and passcode protected) meetings.
  5. Review your use of H323/SIP room systems. Do they join meetings where the Host user would typically be a participant in the room rather than joining as an individual? Ensure such meetings are scheduled with a Passcode as the H.323/SIP system controls will not be able to perform the host functions of managing admission of participants from a Zoom Waiting Room. Ensure your room controls are capable of entering a Passcode when prompted as part of connecting to a Zoom meeting or join with passcode embedded in the dial string or 

If you choose to do nothing by 19th July 2020, Zoom will automatically activate Waiting Rooms for all meetings without a passcode. We recommend that users are communicated on the changed behaviour needed to join and importantly, host needs to be present in the Zoom meeting with Waiting Room turned on. This should include consideration of Zoom Rooms (which often become a default host, and where the control panel may be the touch screen or mounted on a wall and not at the table).

To achieve maximum security when needed (for example for a Board level discussion), activate multiple security factors for the same meeting;

  • Passcodes [to protect against participants to whom the invitation details are not known]
  • Authentication to join [requiring participants to prove their identity via a known and trusted domain(s)]
  • Waiting Room – admitting only those who you expect to attend and allowing some participants to be placed back in to the waiting room if confidential discussions require restriction to a subset of participants. * See also note 5 re possible lack of host controls in H.323 room scenarios.
  • Once the meeting starts, assign a co-host from a laptop to monitor both participants and waiting room
  • Lock the meeting when all participants are in the meeting.

AARNet expect that this change may have significant user impact on some organisations, depending on how you use Zoom and your existing settings. It should be reviewed carefully.

 If you have questions about this change, please do not hesitate to reach us at