How to Keep Zoom Meetings Secure (Without Driving Your Members Crazy)

Over the weekend, Zoom implemented a security change that will effect all the club and district meetings that have moved online — and could result in participants being locked out of meetings if you’re not careful. These changes are probably a good thing in the long run, but they could be disrupt some meetings this week.

Two settings that used to be turned OFF by default are now turned ON by default for every meeting:

  • An attendee meeting password
  • A “waiting room,” where participants are held in digital limbo until the host admits them

If you had not previously turned these features on, they will be turned on now — unless you deliberately turn them off.

Important: Assuming you have not turned on the meeting password previously, this means the meeting link or meeting ID number you distributed previously won’t work for your members — unless you also supply them with the password. There is also a long, coded link you can share in the format —

https://zoom.us/j/4747471963?pwd=LONG-CODED-STRING-HERE

— to allow people to attend your meeting without entering the password manually. I recommend also sharing the meeting ID and meeting password in something like this format.

Meeting ID: 4747471963
Password: 863458

Do not publish the link or these credentials on a public page of your website, or there is no point in having a password. Share them selectively with members and registered guests. You can have guests email the VP of Membership, or fill out a contact form on your website, or fill out a registration form, as we’re doing at Club Awesome and Online Presenters.

When this change was initially implemented, Zoom wouldn’t let you turn off the meeting password even if you wanted to (hint: you probably don’t want to). I’m sharing my recommendations for how to use these features if they make sense for you.

Background

At the same time that its use is becoming pervasive, Zoom has come under heavy criticism for security issues and failing to prevent abuses such as Zoombombing, the phenomenon of trolls intruding on online meetings and screensharing pornography or otherwise behaving badly. Nevertheless, some cybersecurity experts say criticism of Zoom is overblown — in the sense that what really matters is how Zoom has responded to plug holes as they have been revealed. Many of the problems that have cropped up are as much a result of people using Zoom in inappropriate ways as they are with the software itself.

If the point is to tighten up security, you may wonder why Zoom still lets you share a coded link that is the equivalent of typing in the password. However, if you’re emailing people the password, the coded link is no more or less secure than that if the email should go to someone it do. However, making the link more long and complicated frustrates certain hacking techniques for guessing Zoom meeting IDs until a valid one is found, then crashing that meeting.

Also, you can change the password at any time and the coded link associated with that password will stop working. This reminds me of how my neighborhood, a gated community, periodically changes the code for the pedestrian gate used by school kids and joggers. When the code has been shared a little too widely, and problems have cropped up, it can be changed.

Recommendation: Keep Meeting Access Secure But Simple

Given that many Toastmasters are participating online meetings for the first time, we don’t want to make it any more complicated than it needs to be. I recommend:

  • Leaving the meeting password feature turned on
  • Sharing the coded link discreetly
  • Using the “Personal meeting room” associated with the account, rather than creating a separate Zoom meeting with its own link for every club meeting. This allows members to use the same meeting link every time. Keep it simple for them, as much as possible.
  • Only changing the password / link combination if you have actual (rather than theoretical) problems with unwanted meeting participants.
Zoom meeting password for “personal” meeting room

Waiting Room: Optional

Like the meeting password, the waiting room feature is enabled by default. This can give meeting hosts more control over who is admitted (only people whose names you recognize), but so far I’m not recommending using it for my clubs. I think it’s one too many complexity to add to the meeting host’s responsibilities.

Two things I don’t like about the feature:

  • It means the meeting can’t start until someone with the account password signs in.
  • It prevents the use of the Claim Host feature described below.

Make Sure Someone Has Administrative Control of Every Meeting

I explain these considerations in more detail in an article I wrote for an audience of IT and business leaders, Zoom tips: 6 ways to make meetings better. Short version: every meeting should have someone who is empowered to mute microphones, turn off video, or expel participants who behave inappropriately.

Claim Host, then add a Co-Host

Rather than sharing the account password with everyone who needs that control, I recommend sharing the “Claim Host” code with officers and perhaps the Toastmaster of the Day or other meeting leader. The first person who checks in and sees that there is no meeting host can click the “Claim Host” button and enter that code. The newly empowered meeting host can then share meeting administration rights with others who will need it.

Limit Access to Screen Sharing

Screen sharing settings

Limit the ability to share slides or other onscreen imagery to meeting hosts. When a trusted member who is giving a presentation or needs to share their screen for some other purpose lets you know they need access, make them a co-host. You can have many co-hosts. The point is to prevent untrusted users from being able to share offensive imagery — or, at least, from taking over the whole screen with it. (They could still moon their webcam, but any such mischief would be confined to a thumbnail image — and such abuse is unlikely anyway if you’ve taken the other precautions described here).