cancel
Showing results for 
Search instead for 
Did you mean: 

How can I protect passcode when using Auto Approval Registration?

allisonr
Listener

We are using Registration with auto approval in order to capture email addresses of attendees.

 

Unfortunately Zoom displays the passcode openly after registration, thus defeating the purpose of a passcode.  

 

Can the passcode be removed from the post-registration page so the meeting can still be secure?  Otherwise an individual can just fake a registration (use a bogus email) in order to get the passcode of the meeting.

 

Note that we cannot use manual approval.  We specifically need to protect the passcode with Auto Approval.

 

Please let me know if we can close this security hole.

4 REPLIES 4

jeremyjustin
Community Champion | Zoom Employee
Community Champion | Zoom Employee

Hi @allisonr thank you for your post here on the Zoom Community! This is an interesting situation since the passcode is typically included in the registration confirmation as a convenience. Should the join URL fail for some reason the meeting ID and passcode are included in plain text so that users have a backup way into the meeting (Click Join through Zoom client, enter Meeting ID, enter Passcode). However, if you want to change the emails you can in the Zoom portal.

 

Under the Advanced section of the Zoom portal, Branding

jeremyjustin_0-1642545405486.png

 

Then click the "Emails" tab

jeremyjustin_1-1642545482362.jpeg

 

Scroll down and you will see the "Registrants Confirmation Email"

 

This is the email template that goes out to users when they register for meetings. If you edit this template and remove the passcode field, it should remove the passcode from your meeting registration confirmations. 

 

When editing, you can search for the word "passcode" and it will help guide you to the place(s) to remove the passcode. And on the same edit screen there is a "Restore" button on the bottom left in case you want to set things back to default and start over 🙂


Please keep in mind this support article has some information on Branding but we don't really have a way to provide sample code. We do recommend having HTML experience when editing these templates for best results https://support.zoom.us/hc/en-us/sections/200305493-Branding

 

If this has answered your question to your satisfaction, please click the "Accept as Solution" button below but if not please reply and we can continue the  discussion. Thank you!

Thanks I really appreciate your response.  I agree that the email needs to contain the passcode, but I also believe ONLY the email should have the passcode (so we know we're only showing it to the person who is at that email address).  The issue I have is that the passcode is displayed on the webpage after you register - so even if you enter a bogus email address, or someone else's email address, you now have the passcode and we don't know who you are.

I would like to protect the passcode and not display it on the Registration Approved page. 

jeremyjustin
Community Champion | Zoom Employee
Community Champion | Zoom Employee

@allisonr I see your point there and I appreciate you explaining how it would help with security.  Our product team reviews all feature requests submitted via our feedback form https://zoom.us/feed. If you could take a few minutes to post your feedback I would highly encourage you to submit this feature!

MassimoITsorted
Listener

I totally agree with this issue ...

As has been said in this post, if you have a Business or Enterprise account you can (through 'Branding') hide the passcode on the emails. BUT with a Free or Pro account you cannot.

 

So, to recap, in the email that gets sent to a participant, the ID AND the passcode are included. And this means if the email is forwarded onto others, they can simply 'Join a meeting' and manually enter the ID and passcode - and they are straight into the meeting.

And they completely bypass the normal registration process.

 

Note:

  • if they are signed into Zoom their name and email gets included in the list of Registrants.
  • If they are not signed into Zoom they get asked for their name and email address ... but they can enter any name and any email (I tried it with ***********) and this gets registered.

One way I found to stop this loophole (and I appreciate this is getting a bit complicated) is to turn 'Approval' in Registration settings to 'Manually Approve' before the meeting starts (and before anyone is in the Waiting Room).
Then, when someone tries to Join with ID and passcode they are forced to fill out the normal registration form and will only receive a confirmation email with a link IF you manually approve them.

For this to work, either you must be monitoring the list of Registrants (and refreshing your screen regularly) OR (more simply) let people know they must register before a certain time.

 

And an alternative to monitoring by refreshing the list of Registrants is to also turn on this ...

Notification

  • Send an email to host when someone registers