Skip to main content
Status Page Contact Us
AARNet Home

Zoom Security: Passcodes and Waiting Rooms

  • Updated

All Zoom meetings should have EITHER a Passcode or Waiting Room enabled.

This is analogous to keeping a closed door on a physical meeting room. Not having at least one of these two options enabled is like having an always open door. AARNet recommend the use of a Passcode, or Passcode plus a Waiting Room, as a best practice security element for all meetings. Requiring signed authentication to particular domains when meeting with a known group of people can add yet more security, as can restricting the list of countries from which a person can join.

In 2020, Zoom enforced a minimum requirement that all meetings be protected by more than just a Meeting ID alone. A Passcode, a Waiting Room, or Authentication is always required. Combining more than one method provides extra protection. Meeting hosts are responsible for choosing which methods they activate when scheduling the meeting.   

Note that 'Publicly Advertised' meetings carry additional risk.  Meetings advertised to the general public on Facebook/social media/websites (regardless of if hosted in Zoom or other platform) are regularly targeted by those seeking to deliberately disrupt and offend. Often hosts forget the importance of recognising a publicly advertised forum can, unless otherwise secured, be joined by anyone from anywhere in the world. Hosts of such meetings should not only be prepared to control 'entry via the door' (using passcodes & waiting rooms), but also behavior of participants once in the meeting. 

  • Webinars rather than Zoom Meetings are a first choice for public forums where the participants only need to listen, watch, and participate in polls, chat, Q&A. Most organisations license both Zoom Meetings and at least some Zoom Webinar licenses which can be allocated to those hosting public sessions when needed. Ask your local Zoom administrator when required.
  • If a Meeting format is essential for extra participant interaction, first ensure it is protected by a Passcode to prevent strangers joining unless they have knowledge of both the Meeting ID and Passcode. The Meeting URL changes and becomes longer, embedding the passcode in a single URL so intended users can still join with one click. Meetings secured with a Passcode cannot be 'Zoom bombed' simply by typing a random set of numbers in the Zoom client, but they still can if the full join URL is shared on the web/facebook. Passcodes can be embedded in the dial string for H.323/SIP video room systems using pre-scheduled connections. They can also be made optional or mandatory for phone dial in users. Passcodes are recommended as best practice for all new meetings. If adding a passcode to an existing meeting scheduled without one, the join instructions must be re-distributed to all attendees as the URL will change. 

  • Meetings protected by a Waiting Room rely on the host (or co-host or Alternative Host) to admit people in to the meeting. Don't just 'admit all' - only admit names you are at least expecting. The Meeting invitation URL does not change when Waiting Room is enabled. However if the host doesn’t sign-in and join, the meeting doesn’t start. A setting is available (at Account, Group, or User levels) to allow participants from the same organisation as the host and who are signed in to Zoom, to skip the Waiting Room and enter directly – a form of trusted user. Zoom Rooms from the same organisation as the hosts account, automatically become a defacto host and can admit participants if the host user hasn’t yet joined. A meeting protected by Waiting Room is less secure than those using a passcode, as unknown people can still connect (at least as far as the waiting room) by randomly typing in a Zoom meeting ID. Waiting Rooms are also less effective the larger the number of participants and may not be an ideal option when teaching or for large meetings.

  • Consider and where possible, use Registration. Both Zoom meetings and Zoom Webinars include an inbuilt feature that provides a registration url you can share publicly, and then the actual join url is emailed only to approved registrants. You can choose if you manually approve each registration, or automatically approve. The act of requiring a prior registration of name, email and organisation is often sufficient to deter all 'opportunistic' style attacks on meetings. A targetted attack on a meeting might still occur in high profile or politically sensitive meetings. In these situations, use a webinar or have multiple co-hosts monitoring for and ready to respond to any abuse.

Zoom Administrators can find a list of existing meetings that are scheduled on their account without a Passcode or Waiting Room through their reports.

Recommended Best Practices

We recommend Zoom Account Owners and Admins consider, action and communicate with their users in line with

  1. Adopt Passcodes where possible. Activate the following setting  at the 'Account Settings level (ie. All users) 'Require a Passcode when scheduling new meetings’. Note that enforcing Passcodes on all existing meetings is difficult, as it requires the Join URL for all existing scheduled meetings to be re-issued (via Outlook, the LMS, etc - wherever it has been published). Voluntary adoption for existing schedules is simpler. Users should review the future meetings they own, activate a passcode, and redistribute the meeting invitation.
  2. Review any LMS, Timetabling and other integrations that schedule Zoom meetings so they activate a passcode when scheduling (or lock it on in Account Settings).
  3. Consider ‘Waiting Room’ default options at the Account Settings level. Many organisations may wish to set the default such that only external participants (guests) get placed into a Waiting Room while users in the same organisations/account can bypass the Waiting Room. Users on your account need to be signed in to Zoom when joining meetings for this bypass option to work. You can customize the Waiting Room experience with an approved list of domains that users who are signed in, can bypass the Waiting Room and directly join the meeting. 
  4. Use a Webinar rather than a Meeting when presenting publicly in forums where the attendees are not all known and trusted. If a Meeting format must be used, require Registration prior.
  5. Review your use of H323/SIP room systems. Do they join meetings where the Host user would typically be a participant in the room rather than joining as an individual? Ensure such meetings are scheduled with a Passcode as the H.323/SIP system controls may not be able to perform the host functions of managing admission of participants from a Zoom Waiting Room. Ensure your room controls are capable of entering a Passcode when prompted as part of connecting to a Zoom meeting or join with passcode embedded in the dial string meetingid.passcode@zmau.us or meetingid.passcode@zoom.aarnet.edu.au Zoom have a feature that their Support staff can enable that allows select H.323/SIP systems to bypass the Waiting Room on internal meetings when using the public Zoom SIP Gateways (eg. @zmau.us SIP dialing addresses). This does not work with dialing via the AARNet On-Premise gateways. Please contact the AARNet support team if you require this enabled on your account.

Your action plan when activating Passcodes, Waiting Rooms, or both should also include consideration of Zoom Rooms if used. These often become a default host to meetings, and the touch screen control panel may be mounted on a wall and not at the table. Even if the room itself is configured to bypass the waiting room, external users may still need to be admitted via the Zoom Room controller interface.

To achieve maximum security when needed (for example for a Board level discussion), activate multiple security factors for the same meeting;

  • Passcodes [to protect against participants to whom the invitation details are not known]
  • Authentication to join [requiring participants to prove their identity via a known and trusted domain(s)]
  • Waiting Room – admitting only those who you expect to attend and allowing some participants to be placed back in to the waiting room if confidential discussions require restriction to a subset of participants. * See also note 4 re possible lack of host controls in H.323 room scenarios.
  • Once the meeting starts, assign a co-host from a laptop to monitor both participants and waiting room
  • Lock the meeting when all participants are in the meeting.

Related articles