Zoom has added two-factor authentication (2FA) to its video communications platform, a long-awaited feature that will provide a security boost.
Users that turn on 2FA will be asked to present another piece of information to verify they are the account owner. This could be a security code texted to a linked mobile, or an expiring one-time password sent by an authenticator app such as Google Authenticator or Microsoft Authenticator, as well as other authentication methods.
Account admins can turn on 2FA by signing into the Zoom Dashboard and heading to ‘security’. Admins have the option to enable 2FA for all accounts used at its company, or users in specified roles.
2FA is the latest security feature that the US company has added after it came under criticism for security flaws, including ‘Zoom-bombing’ and encryption concerns. These were brought to light due to Zoom’s soaring popularity during the pandemic, which caused revenues to rocket by 355% year-on-year in its most recent quarter.
In response, the company embraced the criticism head-on and established a 90-day security plan to address its shortcomings, with CEO Eric Yuan providing regular progress updates.
Zoom 2FA a “necessary development”
Security experts welcomed the addition of 2FA to Zoom.
“This security inclusion comes better late than never,” said Jake Moore, cybersecurity specialist at Slovak internet security company ESET. “Zoom became the go-to conference call tool at the start of lockdown, and played well into the hands of convenience minded users rather than those focused on security or privacy due to its initial lack of security features such as encryption.
“This new addition is a fantastic effort to help protect all end users and I urge every user to apply this essential layer of extra protection from now on.”
Niamh Muldoon, senior director of trust and security at OneLogin said it was a “necessary development” given Zoom’s soaring user numbers. However, he cautioned that Zoom could go further than 2FA.
“Moreover, Zoom should endeavour to implement stronger methods of authentication in the near future,” she said.
“The growing sophistication of phishing threats means traditional forms of 2FA like SMS and OTP are becoming risky. Zoom should introduce more modern forms of 2FA like WebAuthn, which leverages device-based encryption to prevent even advanced malware and man-in-the-middle phishing attacks.”