Sign-in & security: password and two-factor

**Sign-in & Security** is where you manage the credentials that get you into Verinode and the channels Verinode is allowed to use to reach you. It covers four things stacked on one page: your passw…

9 min read·Updated July 13, 2026
On this page

What this page is

Sign-in & Security is where you manage the credentials that get you into Verinode and the channels Verinode is allowed to use to reach you. It covers four things stacked on one page: your password, an authenticator-app second factor, the email addresses IQ is allowed to write to and read replies from, and confirming your business identity for peer benchmarks. None of these change what data you can see inside Verinode. They change how you get in, how Verinode reaches you, and how much weight your numbers carry in peer benchmarks.

Where to find it

Open Settings from the sidebar, then the Sign-in & Security row (subtitle: "Password, 2FA, Vault Key"). Direct route: /settings/security. A "‹ Settings" link at the top of the page returns you to the Settings index.

The page also carries a Vault Key section below the panels covered here. That is a separate recovery-key feature with its own reveal flow and is not covered in this article.

Note

Everything on this page runs through Supabase's own auth APIs from your signed-in session; this is the one place in Verinode where the browser talks directly to auth infrastructure rather than going through a server action first. Password changes and 2FA enrollment still route through server-side checks where it matters (see below).

Changing your password

The Change Password section has three fields: Current Password, New Password (helper text: "At least 8 characters."), and Confirm New Password. Above the form, a line reminds you: "Your Vault Key (below) is what lets you reset this password if you ever forget it." That is not filler, it is the actual recovery mechanism: Verinode has no "forgot password" email link for encrypted-vault accounts, your Vault Key is the recovery path.

  1. 1Enter your current password.
  2. 2Enter a new password, at least 8 characters.
  3. 3Re-enter it in Confirm New Password.
  4. 4Click Update Password.

What happens when you click Update Password: Verinode verifies your current password server-side, then re-wraps your Vault Key under the new password so your encrypted data does not lock you out, then rotates the auth password. All three steps happen together; if the re-wrap fails, your password is not changed, so you never end up with a new password and a vault you can no longer open.

Validation and error messages, shown exactly as they appear:

  • New password under 8 characters: "New password must be at least 8 characters."
  • New password and confirmation don't match: "New password and confirmation do not match."
  • Current password wrong: "Current password is incorrect."
  • Vault re-encryption fails: "We couldn't re-encrypt your vault, so your password was not changed. Please try again."
  • Session lost mid-flow: "Could not load your account. Please sign in again."
  • Anything else: "Could not update password. Please try again."
  • Success: "Password updated." and all three fields clear.

Two-factor authentication (TOTP)

The Two-Factor Authentication section adds a one-time code from an authenticator app (1Password, Authy, Google Authenticator are named as examples) to every sign-in. The panel's own copy calls this a "Strong recommendation for owner / admin accounts."

If you have no factor enrolled, you see a single Set up two-factor authentication button.

  1. 1Click Set up two-factor authentication. Verinode tears down any half-finished enrollment from a previous attempt first, so you never end up with duplicate unverified factors.
  2. 2A card opens: "Scan this QR code." Open your authenticator app and scan the QR image, or copy the Secret string shown next to it and enter it manually.
  3. 3Enter the six-digit code your app generates into Verification Code. The field only accepts digits and caps at 6 characters; Confirm stays disabled until you've entered exactly 6.
  4. 4Click Confirm.

On success the message reads "Two-factor authentication enabled." and the card is replaced by an Enabled state: a green-tinted row reading "Enabled" with "Authenticator app linked" plus the factor's friendly name (Verinode names it automatically, "Authenticator app (enrollment date)"). A Turn off button sits beside it.

Turning it off: clicking Turn off asks you to confirm ("Turn off two-factor authentication on this account?") before removing the factor. Confirming shows "Two-factor authentication disabled." and the panel returns to the unenrolled state.

Canceling mid-enrollment: the Cancel button in the QR card discards the in-progress factor entirely rather than leaving it half-enrolled.

Tip

Enrolling two-factor authentication here is also a prerequisite for the Email Channel below. Until you have a verified authenticator app on your account, the Email Channel panel shows a locked state and points you back up to this section.

Email Channel panel

This section governs whether you can drive Verinode by replying to IQ from your own inbox. It reads: "Drive Verinode by replying to IQ from your inbox. Briefings, action plan handoffs, and follow-ups all route through your verified addresses below. Up to 4 addresses, opt-in, 2FA required."

Turning it on

The toggle row has three possible states:

  • No verified authenticator app yet: "Enable two-factor authentication first. The email channel requires an authenticator app on your account. Set one up under Two-factor authentication above, then come back." No Enable button shows until you have a verified factor.
  • Off, 2FA present: "Currently off. IQ will reply only through the in-app surface." with an Enable button.
  • Enabled: a green row reading "Enabled. IQ will reply via email to verified addresses." with a Pause button.
  • Paused: a yellow row reading either "Paused via one-click" (someone clicked an unsubscribe link on an outbound email) or "Paused manually" (you paused it here), with "No emails will go out until you resume." and a Resume button.

Clicking Enable opens a step-up modal: "Enable Email Channel. Confirm with your authenticator app. This action gives Verinode permission to send to your verified addresses and act on your replies." You enter a fresh six-digit code from your authenticator app to confirm. This is a second, independent check of your 2FA factor at the moment you turn the channel on, not just proof you enrolled one at some point.

Verified Addresses

Below the toggle, a line reads Verified Addresses (X of 4), counting only addresses that have completed verification. If you have none yet: "No addresses yet. Add the inbox you want IQ to reach you on." Each listed address shows the email itself and a status line: the label you gave it (or "Personal" if you left it blank), followed by one of:

  • Verified, the address has clicked its confirmation link and is live.
  • Verification link sent, you added it and a confirmation email is outstanding.
  • Pending, added but no confirmation email is currently outstanding.

Each row has a Remove button, gated by a confirmation prompt ("Remove [email] from the whitelist?").

Adding an address: the Add Address form (Email, required, and an optional Label with placeholder "Personal") only appears while you have fewer than 4 verified addresses. Submitting sends a one-time verification link: "We send a one-time verification link to that address. Click it within 48 hours to add it to your whitelist." On send, a confirmation flashes: "Verification email sent to [address]." A new address only counts against your 4-address cap once it's fully verified.

Outbound Log

A collapsible row, Outbound Log, with a Show last 30 days toggle. Expanded, it explains: "Every email Verinode has sent or attempted to send on your behalf in the last 30 days. Use this to spot anything unexpected." The table columns are:

  • When, the date and time the email was queued.
  • To, the destination address.
  • Template, which email template was used.
  • Status, the send outcome, colored green for a normal state, red for blocked. A blocked row also shows its block reason inline.

Empty state, verbatim: "No outbound activity in the last 30 days yet."

Quarantined Inbound

A second collapsible row, Quarantined Inbound, same "Show last 30 days" toggle. The explanation: "Inbound emails that failed an inbound gate (auth, autoresponder, sender domain, rate limit, or loop guard). Stored for audit but not processed by IQ. Email support@verinode.ai if a legitimate sender keeps landing here." Columns:

  • When, when the email arrived.
  • From, the sending address.
  • Subject, the email's subject line, or "(no subject)" if none.
  • Reason, the specific gate that blocked it.

Empty state, verbatim: "No quarantined inbound in the last 30 days. Good."

Heads up

Quarantine is not a spam filter you tune from here, it's a security boundary (sender authentication, loop prevention, rate limiting). If a real reply keeps landing in quarantine, contact support@verinode.ai rather than trying to work around it from this panel.

Business Identity panel

Confirming your business identity raises the trust level your numbers carry in peer benchmarks. It never changes what you can see in Verinode: "It never changes what you can see, and your number is never shown to other operators."

Unconfirmed state: a form with two fields.

  • Country, a dropdown: United States (EIN), Canada (Business Number), Other.
  • Business or Tax Number, helper text adapts to the country: "Your 9-digit EIN." for the US, "Your 9-digit Business Number." for Canada, "Your registration number." for Other.
  1. 1Choose your country.
  2. 2Enter your EIN, Business Number, or registration number.
  3. 3Click Confirm Business Identity.

Validation happens before anything is written: a US number must be exactly 9 digits (hyphens are fine, e.g. 12-3456789), a Canadian number must be 9 digits optionally followed by a 2-letter program code and 4 digits (e.g. 123456789RT0001), and an Other number just needs to be 5 to 20 alphanumeric characters. Each country also enforces that a given number can only confirm one operator account; if the number is already linked elsewhere, the form returns "This business number is already linked to another account."

Note

This confirms the number is structurally valid and uniquely claimed, it is not a live lookup against the IRS, CRA, or any other registry. It raises the cost of a fabricated identity; it is not a guarantee of one.

On success: "Business identity confirmed." The panel then switches to its Confirmed state, showing "Confirmed" plus the masked number (all but the last 4 characters replaced with dots, e.g. •••••6789) and: "Your business identity is on file, so your numbers count in peer benchmarks at the highest trust level. To change it, contact support." There's no self-serve edit after confirmation, changes go through support.

If your contributions are currently on hold for an integrity review, the unconfirmed form shows an extra line above the fields: "Your contributions are paused for review. Confirming your business identity restores them." Confirming your identity in that state both verifies you and lifts the hold in the same action.

Best-practice example

A new operator signs in, sets a strong password, and enrolls their authenticator app the same session so owner-level sign-in is protected from day one. A week later they turn on the Email Channel so they can reply to IQ's morning briefing straight from their phone, confirming with a fresh 2FA code at that moment (not the one from setup). They add their business email as a second verified address for their ops manager to reply from too, staying under the 4-address cap. Separately, they confirm their business identity with their EIN so their margin and cash-flow numbers count in benchmarks at the highest trust level, without changing anything about what they themselves can see on the platform.

Data sources

Data sources

  1. 1.Your password and authenticator-app enrollment. Your account.
  2. 2.Your verified email addresses and channel state. Your account.
  3. 3.Outbound and quarantined email activity, last 30 days. Your account.
  4. 4.Your business or tax registration number. Your account.
Was this helpful?