Zoom Security: Passcodes and Waiting Rooms

(This change was originally scheduled by Zoom for 19 July 2020, and subsequently for 27 September 2020 but based off customer feedback, has now been deferred. Zoom are working to enable a control that will allow individual Zoom administrators to activate this change in line with their own timing and needs. The change raises a number of complex interactions and use cases with integrations, and H.323/SIP scheduling & custom API controls in particular. If you rely on these features, please assess the change carefully).

As part of Zoom's continued focus on security, ALL Zoom meetings in the future, will require EITHER a Passcode or Waiting Room enabled. This will apply globally to all users, to ensure that meetings cannot be interrupted by undesired attendees. The change will apply to all users (Basic/Licensed/On-prem) on paid accounts and managed domains. Meetings secured with a Passcode cannot be 'Zoom bombed' simply by typing a random set of numbers in the Zoom client. They can only be accessed if the URL is shared. Meetings secured by a Waiting Room rely on the host to consciously manage who they expect to be attending, and who they are admitting to the meeting. Activating a Waiting Room is simplest as the invitation does not need to be re-issued, but the host must be ready to sign in, and manage people joining. This might include the scenario where the host joins from a Meeting or Conference Room. Whilst effective in most small meeting scenarios, Waiting Rooms may not be an ideal option when teaching or for large meetings. AARNet recommend the use of a Passcode, or Passcode plus a Waiting Room, as best practice security for all meetings.

For more details, please review the Zoom Support FAQ document.

NOTE: Zoom has recently adopted the term "passcode" to refer to the additional key needed to enter Zoom meetings. This distinguishes it from passwords. Passcodes are designed to be shared with all invited meeting participants. 'Password' is used to refer to your personal and private account login credentials.

  • Meetings protected by a Passcode prevent strangers joining unless they have knowledge of both the Meeting ID and Passcode. The Meeting URL changes and becomes longer, embedding the passcode in a single URL so intended users can still join with one click. The invitation for any existing scheduled meetings, once a Passcode is added, must be re-distributed to all attendees as the URL will change. Passcodes can be embedded in the dial string for H.323/SIP video room systems using pre-scheduled connections. They can also be made optional or mandatory for phone dial in users. Passcodes are recommended as best practice for all new meetings.

  • Meetings protected by a Waiting Room rely on the host (or co-host or Alternative Host) to admit people in to the meeting. The Meeting invitation URL does not change when Waiting Room is enabled. However if the host doesn’t sign-in and join, the meeting doesn’t start. A setting is available (at Account, Group, or User levels) to allow participants from the same organisation as the host and who are signed in to Zoom, to skip the Waiting Room and enter directly – a form of trusted user. Zoom Rooms from the same organisation as the hosts account, automatically become a defacto host and can admit participants if the host user hasn’t yet joined. A meeting protected by Waiting Room is less secure than those using a passcode, as unknown people can still connect (at least as far as the waiting room) by randomly typing in a Zoom meeting ID. 

Meetings that are already scheduled and protected with a Passcode and/or Waiting Room, will be unaffected when the account administrators activate the requirement to have one, or the other, active.

  • Zoom Administrators can find a list of existing meetings that are scheduled on their without a Passcode or Waiting Room by examining the following report 

Recommended Best Practices

We recommend Zoom Account Owners and Admins consider, action and communicate with their users in line with

  1. Adopt Passcodes where possible. See note 2 to enforce Passcode on all newly scheduled meetings. It should be noted that enforcing Passcodes on all existing meetings in a large organisation is difficult, as it will require the Join URL for all existing scheduled meetings to be re-issued (via Outlook, the LMS, etc - wherever it has been published). Voluntary adoption may be simpler. Users should review the future meetings they own, activate a passcode, and redistribute the meeting invitation.
  2. Activate ‘Require a Passcode when scheduling new meetings’. We recommend enabling at the Account Settings level (ie. All users) and ideally locking so that all new meetings scheduled will use a passcode.
  3. Review any LMS, Timetabling and other integrations that schedule Zoom meetings so they activate a passcode when scheduling (or lock it on in Account Settings).
  4. Consider ‘Waiting Room’ default options at the Account Settings level. Many organisations may wish to set the default such that only external participants (guests) get placed into a Waiting Room while users in the same organisations/account can bypass the Waiting Room. Users on your account need to be signed in to Zoom when joining meetings for this bypass option to work. You can customize the Waiting Room experience with an approved list of domains that Users who are signed in, can bypass the Waiting Room and directly join the meeting. 
  5. Review your use of H323/SIP room systems. Do they join meetings where the Host user would typically be a participant in the room rather than joining as an individual? Ensure such meetings are scheduled with a Passcode as the H.323/SIP system controls may not be able to perform the host functions of managing admission of participants from a Zoom Waiting Room. Ensure your room controls are capable of entering a Passcode when prompted as part of connecting to a Zoom meeting or join with passcode embedded in the dial string or  AARNet are presently helping Zoom evaluated a beta feature that allows select H.323/SIP systems to bypass the Waiting Room on internal meetings when using the SIP dialing address. Please contact the AARNet support team if you require this enabled on your account.

If you choose to do nothing, meetings may remain insecure and easily 'Zoom Bombed'. We recommend Zoom administrators at a minimum pro-actively enable the 'Waiting Rooms for all meetings without a passcode" feature, in a coordinated and well communicated manner, as soon as it is available.. Users will need to learn how to host a Zoom meeting with Waiting Room turned on.

Communication should include consideration of Zoom Rooms if used. These often become a default host to meetings, and the touch screen control panel may be mounted on a wall and not at the table. Even if the room is configured to bypass the waiting room feature, external users may still need to be admitted via the Zoom Room controller interface.

To achieve maximum security when needed (for example for a Board level discussion), activate multiple security factors for the same meeting;

  • Passcodes [to protect against participants to whom the invitation details are not known]
  • Authentication to join [requiring participants to prove their identity via a known and trusted domain(s)]
  • Waiting Room – admitting only those who you expect to attend and allowing some participants to be placed back in to the waiting room if confidential discussions require restriction to a subset of participants. * See also note 5 re possible lack of host controls in H.323 room scenarios.
  • Once the meeting starts, assign a co-host from a laptop to monitor both participants and waiting room
  • Lock the meeting when all participants are in the meeting.

AARNet expect that this change may have significant user impact on some organisations, depending on how you use Zoom and your existing settings. It should be reviewed carefully.

 If you have questions about this change, please do not hesitate to reach us at