Zoom announced a slate of new security features users can take advantage of as the school year begins and millions continue to work and learn remotely.
Zoom Phone users can upgrade to end-to-end encryption “during one-on-one phone calls that occur via the Zoom client.”
“During a call, users can click ‘More’ to find the option to enable end-to-end encryption. The upgrade takes under a second and helps users get security protection against server compromise,” the company explained in a statement.
“Users can optionally exchange security codes over the voice channel to rule out the presence of a ‘meddler in the middle.’ E2EE for Zoom Phone will be available in the coming year.”
Zoom also announced two other features designed to enhance the security of its platform: Bring Your Own Key (BYOK) and Verified Identity.
BYOK was designed to help customers who have to deal with stringent compliance requirements or data residency needs. The tool allows users to manage their own encryption keys, creating a system where people will own and manage a key management system in AWS. The system will contain a customer master key that Zoom cannot access or see.
“Zoom will interact with the customer’s KMS to obtain data keys for encryption and decryption and will use these data keys to encrypt and decrypt customer assets before those assets are written to long-term storage. Zoom will not store plaintext data keys in long-term data storage,” Zoom explained in a statement.
“BYOK is a separate offering from E2EE and is not designed for real-time use cases like streaming video. It’s best used for the secure storage of larger assets, such as recording files. BYOK will roll out as a customer beta in the coming months for recordings for Zoom Meetings, recordings for Zoom Video Webinars, Zoom Phone voicemails and recordings, and calendar for Zoom Rooms.”
Verified Identity was built to help address the growing sophistication of social engineering and phishing attacks. The Verified Identity feature allows users to determine if a meeting guest is actually who they say they are.
Zoom said the tool would help users who deal with classified information, specialized services and more. Multi-factor authentication is used to vet users entering a meeting. The tool asks you to identify your role in an organization, your credentials and the network you use. It also provides information about your device, authentication apps, codes, biometrics and email addresses.
It also uses passwords, security questions and profile information to verify users.
“To make attestation and authentication integral to the Zoom experience, we’re working with Okta to help verify users as they join Zoom Meetings. Once they’re in a meeting, a user will have a checkmark next to their name and can share their verified profile information — including name, email address, and company domain — with meeting participants,” Zoom explained.
“Meeting hosts can use in-meeting security controls to remove a participant if for some reason they are not verified, or the displayed information seems incorrect. Displaying verified profile information via Okta will be available sometime next year and is the start of Zoom’s long-term identity attestation and verification initiative strategy.”