3.1 Non-Cryptographic Identity at Zoom
Zoom organizes its users into accounts. Accounts can be held by individual people, businesses or institutions, and they consist of one or more users: if Example Corporation uses Zoom, then each Example Corporation employee would be a Zoom user belonging to the Example Corporation account. Each user can have more than one device (e.g., a computer or a phone) on which they can use Zoom products.
Each account is part of a cloud infrastructure that hosts the data relating to the account and its users, such as email addresses and login information. Some Zoom users are in the Zoom commercial cloud; there is also a Zoom for Government cloud for U.S. government employees and contractors, as well as separate white-labeled private Zoom instances, each with their own cloud. Zoom products generally support cross-cloud communication, though there may be some limitations.
Zoom users authenticate to Zoom in a variety of ways. Users can log in using their email address and a password, or via an OAuth or SAML-based flow with an external Identity Provider (IDP) that has been set up for their account. In all of these cases, an email address is used as a unique user identifier. If the account settings allow it, users can change their email address or authentication method.
Some Zoom products, such as meetings, do not require individuals to sign in as a Zoom user in order to participate, unless configured otherwise. Users can join a meeting by clicking a link or by entering the meeting ID and password in the app.
The identity information displayed for a given user depends on the Zoom product, product-specific settings, account settings, and whether the viewer is in the same account or a different account. Identity information may include name, job title, company, phone number, and email address. Users may be able to modify their identity information, though account administrators can restrict their users to approved names. This identity information, and mechanisms that control changes to it, are controlled by the Zoom servers and cannot be independently verified by clients.
Zoom products may provide mechanisms to enforce access control: for example, meetings support meeting passwords, the waiting room feature, and the ability to restrict the meeting to users in the host’s account or users whose emails have a specific domain name. These features are enforced by the Zoom servers, so they can be circumvented if the server is compromised. They also do not prevent one member of an account from impersonating another member of the same account, and they may not give users enough information to make access control decisions themselves: for example, whether to admit an attendee from a meeting’s waiting room.