Authentication and Other Best Practices for Secure Zoom Meetings
Zoom has been a critical tool in our daily lives this past year; from virtual classes and student activities to checking in with family and friends, we rely on Zoom to keep us connected. Naturally, no one wants those moments of connection disrupted by unwanted visitors or inappropriate behavior. Unfortunately, spring term has already seen an increase in the number of Zoom bombings reported.
At Ohio State, our default CarmenZoom settings were designed to help protect our students, faculty and staff, and our recommended guidelines go even further to help you prevent and respond to Zoom bombing attacks. We outline a variety of measures you can take to keep your meetings safe, but these two steps can make a huge difference:
- Require authentication for meetings with Ohio State attendees. We recently made logging in even easier, so authentication does not need to be a hassle.
- Protect your meeting links. It is strongly recommended that you do NOT share meeting URLs publicly on websites or social media.
Review more options you can take before, during and after a CarmenZoom meeting to protect you and your attendees:
Before the meeting…
How you plan to promote to your intended audience will guide your meeting setting choices. Before setting up the meeting, consider who you want to attend and how you will share meeting information with them.
It is strongly recommended that you don’t share meeting information publicly on websites or social media. If you want your event available to a wide audience, consider using Zoom’s registration options to better track who will be joining. With a smaller group of attendees who have registered and provided contact information, it may be feasible to send a passcode separately just to those you anticipate in the meeting. If you want only the host and designated panelists to be able to share during the event, consider requesting a webinar instead of using a standard meeting.
When creating new meetings in CarmenZoom, passcodes are added automatically within the meeting link. This embedded passcode makes it harder for hackers to guess your URL or stumble across your meeting, while also allowing your attendees to join your meeting with just one click. For additional security, you can choose to turn off the embedded passcode send a passcode separately to your intended meeting participants. This method would require hackers to have two pieces of information—the URL and a separate passcode.
After planning how to share your meeting and how to get meeting details to intended participants, consider the following settings when creating your meeting in CarmenZoom.
We recently made it easier for Ohio State students, faculty and staff (with @osu.edu and @buckeyemail.osu.edu addresses) to authenticate and log into CarmenZoom quickly. For example, you may notice that you are automatically logged in on your desktop client after logging in to other university services. You can also bypass the Sign In with SSO option when logging in by typing your university email address and at least one character in the password box.
We wanted this process to be as easy as possible because requiring authentication to join Zoom meetings is a very powerful security measure. We strongly encourage you to select Require authentication to join in your meeting settings when your meeting includes only those associated with Ohio State.
Keep in mind, this setting is OFF by default to accommodate our Extension offices and other groups with frequent contact outside Ohio State.
While the authentication setting doesn’t stop misbehavior from meeting attendees, it does keep those outside the university out of your meeting. The setting also ensures your poll and attendance reports identify participants by their Ohio State usernames, makes pre-assigned breakout rooms more feasible, and also makes it easier for Office of Institutional Equity (OIE) staff and cybersecurity experts to identify those who cause a disturbance.
Registration and Waiting Room
If you have people joining from outside the university, you won't be able to use the authentication option, but you can make good use of two other features.
- Registration: Use Zoom's registration option for your meeting or webinar. You can customize the fields for your attendees to complete; Zoom will send them an individualized meeting link and passcode. Adding custom fields that relate to your event and using the option to manually approve registrations will give you an opportunity to screen potential attendees and block those who don’t have a legitimate interest in your event.
- Waiting Room: The Waiting Room is a virtual staging area that stops your guests from joining until you're ready for them. This way you can screen participants and only allow those you are expecting to join. Take a good look at the display name for each entrant before letting them in to the meeting. Many of the people who have disrupted Zoom meetings at Ohio State and elsewhere have advertised their bad intentions by using obviously offensive display names or names that are gross puns when said out loud.
During the meeting…
Review the Security Tab
Before your participants join, review the options in the Security tab, visible to the meeting host and any co-hosts. Make sure the settings for participants reflect the most secure set of options that will still let your meeting happen as planned. Screensharing, video, audio and chat can all be used by Zoom bombers to disrupt your meeting. Also, if you allow participants to rename themselves someone who enters with an "ordinary" name may change it to something offensive once they are in your meeting.
When your meeting begins, select Record to the Cloud. This step is beneficial for you as it provides a recording you could share with those unable to attend as well as auto-generated captions for the meeting. Recordings saved to the cloud are also helpful in the event of a Zoom bombing attack as they provide more information about the meeting and can help the appropriate authorities identify bad actors.
For large profile meetings, it would be beneficial to designate one or more co-hosts to respond to misbehaving attendees. The Teaching and Learning Resource Center highlights ways to address disruptive behavior, including removing users, placing users on hold, disabling video and muting participants. These tactics can help mitigate disruptive behavior during the meeting.
After the meeting…
If something disruptive does happen during a CarmenZoom meeting, be sure to report the incident to OIE using the form on their website and to eLearning Support Staff at firstname.lastname@example.org. These groups can investigate the issue and provide you with helpful resources, and reporting issues helps us identify trends and adjust security settings and recommendations.
Be sure to check out the Teaching and Learning Resource Center for more helpful information about CarmenZoom and other eLearning tools at Ohio State.