(This change was originally scheduled by Zoom for 19 July 2020, but based off customer feedback, including that of AARNet, has now been deferred till 27th September 2020 to allow those with more complex use cases such as integrations, H.323/SIP scheduling & custom API controls, time to prepare).
As part of Zoom's continued focus on security, ALL Zoom meetings from 27th September 2020, will require EITHER a Passcode or Waiting Room enabled. This will apply globally to all users, to ensure that meetings cannot be interrupted by undesired attendees. The change will apply to all users (Basic/Licensed/On-prem) on paid accounts and managed domains. The default, if no action is taken, is any meeting without Passcode or Waiting Room, will have the Waiting Room feature activated. Whilst effective in most small meeting scenarios, this may not be an ideal option when teaching.
For more details, please visit the Zoom Support page for the FAQ document.
NOTE: Zoom is changing the meeting "password" term to "passcode" to make the distinction between them because passcodes are designed to be shared with invited meeting participants while the term 'password' is more commonly used to refer to account login credentials.
- Meetings protected by a Passcode prevent strangers joining unless they have knowledge of both the Meeting ID and Passcode. The Meeting URL changes and becomes longer, embedding the passcode in a single URL so intended users can still join with one click. The invitation for any existing scheduled meetings, once a Passcode is added, must be re-distributed to all attendees as the URL will change. Passcodes can be embedded in the dial string for H.323/SIP video room systems using pre-scheduled connections. They can also be made optional or mandatory for phone dial in users. Passcodes are recommended as best practice for all new meetings.
- Meetings protected by a Waiting Room rely on the host (or co-host or Alternative Host) to admit people in to the meeting. The Meeting invitation URL does not change when Waiting Room is enabled. However if the host doesn’t sign-in and join, the meeting doesn’t start. A setting is available (at Account, Group, or User levels) to allow participants from the same organisation as the host and who are signed in to Zoom, to skip the Waiting Room and enter directly – a form of trusted user. Zoom Rooms from the same organisation as the hosts account, automatically become a defacto host and can admit participants if the host user hasn’t yet joined. A meeting protected by Waiting Room is less secure than those using a passcode, as unknown people can still connect (at least as far as the waiting room) by randomly typing in a Zoom meeting ID.
Meetings that are already scheduled and protected with Passcode and/or Waiting Room, will be unaffected on 27th September 2020.
- Zoom Administrators can find a list of existing meetings that are scheduled on their without a Passcode or Waiting Room by examining the following report
Recommended Best Practices
We recommend Zoom Account Owners and Admins consider, action and communicate with their users in line with
- Voluntarily adopting Passcodes where possible. See note 2 to enforce Passcode on all newly scheduled meetings. It should be noted that enforcing Passcodes on all existing meetings in a large organisation is difficult, as it will require the Join URL for all existing scheduled meetings to be re-issued (via Outlook, the LMS, etc - wherever it has been published). Voluntary adoption may be simpler. Users should review the future meetings they own, activate a passcode, and redistribute the meeting invitation.
- Activate ‘Require a Passcode when scheduling new meetings’. We recommend enabling at the Account Settings level (ie. All users) and ideally locking so that all new meetings scheduled will use a passcode.
- Review any LMS, Timetabling and other integrations that schedule Zoom meetings so they activate a passcode when scheduling (or lock it on in Account Settings).
- Consider ‘Waiting Room’ default options at the Account Settings level. Many organisations may wish to set the default such that only external participants (guests) get placed into a Waiting Room while users in the same organisations/account can bypass the Waiting Room. Users on your account need to be signed in to Zoom when joining meetings for this bypass option to work. You can customize the Waiting Room experience with an approved list of domains that Users who are signed in, can bypass the Waiting Room and directly join the meeting. Zoom are also planning to enable a bypass option to allow select H.323/SIP system connections. As at 7 July, this feature is not yet available but is expected to be released shortly.
- Review your use of H323/SIP room systems. Do they join meetings where the Host user would typically be a participant in the room rather than joining as an individual? Ensure such meetings are scheduled with a Passcode as the H.323/SIP system controls will not be able to perform the host functions of managing admission of participants from a Zoom Waiting Room. Ensure your room controls are capable of entering a Passcode when prompted as part of connecting to a Zoom meeting or join with passcode embedded in the dial string firstname.lastname@example.org or email@example.com.
If you choose to do nothing, Zoom will automatically activate Waiting Rooms for all meetings without a passcode. We recommend that users are communicated on the changed behaviour needed to join and importantly, host a Zoom meeting with Waiting Room turned on.
Communication should include consideration of Zoom Rooms if used. These often become a default host to meetings, and the touch screen control panel may be mounted on a wall and not at the table. Even if the room is configured to bypass the waiting room feature, external users may still need to be admitted via the Zoom Room controller interface.
To achieve maximum security when needed (for example for a Board level discussion), activate multiple security factors for the same meeting;
- Passcodes [to protect against participants to whom the invitation details are not known]
- Authentication to join [requiring participants to prove their identity via a known and trusted domain(s)]
- Waiting Room – admitting only those who you expect to attend and allowing some participants to be placed back in to the waiting room if confidential discussions require restriction to a subset of participants. * See also note 5 re possible lack of host controls in H.323 room scenarios.
- Once the meeting starts, assign a co-host from a laptop to monitor both participants and waiting room
- Lock the meeting when all participants are in the meeting.
AARNet expect that this change may have significant user impact on some organisations, depending on how you use Zoom and your existing settings. It should be reviewed carefully.
If you have questions about this change, please do not hesitate to reach us at firstname.lastname@example.org.