Zoom adds two-factor authentication for all users

Unified communications and collaboration platform Zoom has rolled out another round of cyber security enhancements, adding two-factor authentication (2FA) across its platform, requiring users to present two or more credentials to join a meeting.

This is the latest in a now long-running series of enhancements Zoom has made in response to a series of concerns around the security of its service, use of which soared during lockdown and has remained popular as millions of people continue to work remotely during the ongoing Covid-19 pandemic.

Zoom said adding 2FA to its platform offered users a secure way to validate their identities and protect against incidents, providing a number of benefits such as a reduced risk of identity theft and security breaches by preventing malicious actors from accessing legitimate accounts, enhanced compliance with data protection regulations, reduced costs by eliminating the need for expensive single sign-on (SSO) technology, and easier credential management.

Users will have the option to use authentication apps that support time-based one-time password (TOTP) protocols, for example Google Authenticator, Microsoft Authenticator or FreeOTP, or have Zoom send a code via SMS or phone call, the firm said in a blog post announcing the changes.

Niamh Muldoon, senior director of trust and security at identity and access management specialist OneLogin, said the addition of 2FA was entirely necessary given the increase in Zoom usage, and the high-profile stories of so-called zoom-bombing that ensued.

“However, security is a two-way street; in order for this to be effective, users will need to enable the use of 2FA,” she said.

Administrators can activate 2FA on Zoom at the account level by signing into their Zoom dashboard, navigating to security settings, and enabling 2FA either for all users, or for specific users by function or grouping. Further details can be found online.

However, Muldoon pointed out that the growing sophistication of phishing threats was leading many to the conclusion that 2FA is not necessarily 100% effective.

“Zoom should introduce more modern forms of 2FA like WebAuthn, which leverages device-based encryption to prevent even advanced malware and man-in-the-middle phishing attacks,” she said.

“WebAuthn is popular with users because it requires no password and allows them to utilise biometric sensors like fingerprint scanning and facial recognition that they already use to their unlock phones.”

She added that while MFA was essential, leaders in the field are now also turning to artificial intelligence and risk management techniques to enhance authentication in situations where risk might be heightened, such as if users have changed their device, location, or app usage profiles.