Zoom Security: Passcodes and Waiting Rooms

All Zoom meetings should have EITHER a Passcode or Waiting Room enabled.

This is analogous to keeping a closed door on a physical meeting room. Not having at least one of these two options enabled is like having an always open door. AARNet recommend the use of a Passcode, or Passcode plus a Waiting Room, as a best practice security element for all meetings.

In September, 2020, Zoom announced they are working to enable a control that will allow individual Zoom administrators to enforce a requirement for one, or the other of Passcodes/Waiting Rooms. Users could choose which, but administrators can set the minimum standard rather than enforcing one or the other. The indicative timeline for this feature was the end of 2020.

Best Practice meetings should be protected by more than just a Meeting ID.   

Note that 'Publicly Advertised' meetings carry additional risk.  Meetings advertised to the general public on Facebook/social media/websites (regardless of if hosted in Zoom or other platform) are regularly targeted by those seeking to deliberately disrupt and offend. Hosts of such meetings should not only be prepared to control 'entry via the door' (using passcodes & waiting rooms), but also behavior of participants once in the meeting. 

  • Meetings protected by a Passcode prevent strangers joining unless they have knowledge of both the Meeting ID and Passcode (for example via e-mail or if shared on the web/facebook). The Meeting URL changes and becomes longer, embedding the passcode in a single URL so intended users can still join with one click. Meetings secured with a Passcode cannot be 'Zoom bombed' simply by typing a random set of numbers in the Zoom client. The invitation for any existing scheduled meetings, once a Passcode is added, must be re-distributed to all attendees as the URL will change. Passcodes can be embedded in the dial string for H.323/SIP video room systems using pre-scheduled connections. They can also be made optional or mandatory for phone dial in users. Passcodes are recommended as best practice for all new meetings.

  • Meetings protected by a Waiting Room rely on the host (or co-host or Alternative Host) to admit people in to the meeting. The Meeting invitation URL does not change when Waiting Room is enabled. However if the host doesn’t sign-in and join, the meeting doesn’t start. A setting is available (at Account, Group, or User levels) to allow participants from the same organisation as the host and who are signed in to Zoom, to skip the Waiting Room and enter directly – a form of trusted user. Zoom Rooms from the same organisation as the hosts account, automatically become a defacto host and can admit participants if the host user hasn’t yet joined. A meeting protected by Waiting Room is less secure than those using a passcode, as unknown people can still connect (at least as far as the waiting room) by randomly typing in a Zoom meeting ID. Waiting Rooms are also less effective the larger the number of participants and may not be an ideal option when teaching or for large meetings.

Zoom Administrators can find a list of existing meetings that are scheduled on their without a Passcode or Waiting Room by examining the following report 

Recommended Best Practices

We recommend Zoom Account Owners and Admins consider, action and communicate with their users in line with

  1. Adopt Passcodes where possible. Activate the following setting  at the 'Account Settings level (ie. All users) 'Require a Passcode when scheduling new meetings’. Note that enforcing Passcodes on all existing meetings is difficult, as it requires the Join URL for all existing scheduled meetings to be re-issued (via Outlook, the LMS, etc - wherever it has been published). Voluntary adoption for existing schedules is simpler. Users should review the future meetings they own, activate a passcode, and redistribute the meeting invitation.
  2. Review any LMS, Timetabling and other integrations that schedule Zoom meetings so they activate a passcode when scheduling (or lock it on in Account Settings).
  3. Consider ‘Waiting Room’ default options at the Account Settings level. Many organisations may wish to set the default such that only external participants (guests) get placed into a Waiting Room while users in the same organisations/account can bypass the Waiting Room. Users on your account need to be signed in to Zoom when joining meetings for this bypass option to work. You can customize the Waiting Room experience with an approved list of domains that users who are signed in, can bypass the Waiting Room and directly join the meeting. 
  4. Review your use of H323/SIP room systems. Do they join meetings where the Host user would typically be a participant in the room rather than joining as an individual? Ensure such meetings are scheduled with a Passcode as the H.323/SIP system controls may not be able to perform the host functions of managing admission of participants from a Zoom Waiting Room. Ensure your room controls are capable of entering a Passcode when prompted as part of connecting to a Zoom meeting or join with passcode embedded in the dial string or  Zoom have a feature that their Support staff can enable that allows select H.323/SIP systems to bypass the Waiting Room on internal meetings when using the public Zoom SIP Gateways (eg. SIP dialing addresses). This does not work with dialing via the AARNet On-Premise gateways. Please contact the AARNet support team if you require this enabled on your account.

Your action plan when activating Passcodes, Waiting Rooms, or both should also include consideration of Zoom Rooms if used. These often become a default host to meetings, and the touch screen control panel may be mounted on a wall and not at the table. Even if the room itself is configured to bypass the waiting room, external users may still need to be admitted via the Zoom Room controller interface.

To achieve maximum security when needed (for example for a Board level discussion), activate multiple security factors for the same meeting;

  • Passcodes [to protect against participants to whom the invitation details are not known]
  • Authentication to join [requiring participants to prove their identity via a known and trusted domain(s)]
  • Waiting Room – admitting only those who you expect to attend and allowing some participants to be placed back in to the waiting room if confidential discussions require restriction to a subset of participants. * See also note 4 re possible lack of host controls in H.323 room scenarios.
  • Once the meeting starts, assign a co-host from a laptop to monitor both participants and waiting room
  • Lock the meeting when all participants are in the meeting.

 If you're in the Australian Education community and have questions about best practices with Zoom, please do not hesitate to reach us at