Sign-in and security: password, 2FA, and your Vault Key

**Sign-in & Security** is where you manage the three things that keep your Verinode account yours: your password, two-factor authentication (2FA), and your Vault Key, the encryption key that protec…

10 min read·Updated July 13, 2026
On this page

What this page covers

Sign-in & Security is where you manage the three things that keep your Verinode account yours: your password, two-factor authentication (2FA), and your Vault Key, the encryption key that protects your operator data at rest. Verinode is an independent data trust and your AI Co-COO. It never sells your operator data to carriers, and it never decides for you. It surfaces what it finds and recommends a path, you make the call, and this page is where you control who else can act as you and how your sensitive data is locked down.

Where to find it

Open Settings from the sidebar, then Sign-in & Security. The route is /settings/security. The page title reads "Sign-in & Security" at the top; everything below it flows as a stack of plain sections with no card-on-card framing: Change Password, Two-Factor Authentication, your email channel and business identity panels, and Vault Key, in that order.

This article covers the first, second, and last of those groups. The email channel and business identity panels live on the same page but cover different ground (inbound email addresses and confirming your business number for benchmark trust), so they are not detailed here.

Change Password

The Change Password section is a simple three-field form:

  • Current Password, required.
  • New Password, required, with the helper text "At least 8 characters."
  • Confirm New Password, required.

Above the form is a short note that matters more than it looks: "Your Vault Key (below) is what lets you reset this password if you ever forget it." That is not a throwaway line. Your Vault Key is the recovery path if you are ever locked out, so setting it up (covered below) is what makes a forgotten password recoverable at all.

Click Update Password to submit. Here is what happens and what can go wrong.

  1. 1Verinode checks that your new password is at least 8 characters and matches the confirmation. If either check fails, the form shows "New password must be at least 8 characters." or "New password and confirmation do not match." and stops, without contacting the server.
  2. 2Verinode verifies your Current Password is correct. If it is not, you see "Current password is incorrect." and nothing changes.
  3. 3Verinode re-wraps your Vault Key (and, if you also belong to an HQ group, your group vault key) under your new password. This has to happen before the password itself changes, because your Vault Key is wrapped for recovery using your password, and an out-of-sync wrapping would lock your own vault.
  4. 4Verinode rotates your sign-in password.
  5. 5If the re-wrap step fails, you see "We couldn't re-encrypt your vault, so your password was not changed. Please try again." and your password is left exactly as it was: nothing is left half-changed.
  6. 6If the password rotation itself fails after a successful re-wrap, Verinode automatically rolls the vault wrapping back to your old password so your account stays internally consistent, and you see a generic "Could not update password. Please try again."
  7. 7On success, the form clears and shows "Password updated." in green.

If Verinode cannot confirm who you are at all (for example your session has expired mid-form), you'll see "Could not load your account. Please sign in again."

Note

The whole password change, current-password check, vault re-wrap, and password rotation, happens as one atomic operation. Verinode will never leave your account in a state where your password changed but your Vault Key did not follow, or vice versa.

Two-Factor Authentication

The Two-Factor Authentication section adds a one-time code from an authenticator app (1Password, Authy, Google Authenticator, or similar) to every sign-in, on top of your password. Verinode's own copy on this page calls it a "strong recommendation for owner / admin accounts."

If you have not set it up, you'll see a single Set up two-factor authentication button.

  1. 1Click Set up two-factor authentication. Verinode generates a new TOTP (time-based one-time password) credential and shows a Scan this QR code panel: a QR code image on the left, and on the right a text Secret (for typing into an authenticator app that can't scan a code) plus a Verification Code field.
  2. 2Open your authenticator app, scan the QR code (or enter the secret manually), and it will start generating 6-digit codes.
  3. 3Type the current 6-digit code into the Verification Code field. The field only accepts digits and caps at 6 characters.
  4. 4Click Confirm. Verinode challenges the code you entered against the credential; a correct code enables 2FA and shows "Two-factor authentication enabled." A wrong or expired code surfaces the underlying error message and lets you try again.
  5. 5Click Cancel at any point to abandon setup; Verinode removes the unverified credential so it doesn't linger.

Once enabled, the section shows a green Enabled banner reading "Authenticator app linked" (plus the authenticator's friendly name, which Verinode auto-generates as "Authenticator app" followed by the date you enrolled it), with a Turn off button beside it.

Clicking Turn off asks you to confirm ("Turn off two-factor authentication on this account?") before it disables the factor. Turning it off shows "Two-factor authentication disabled."; turning it back on starts the QR enrollment flow again from scratch.

Tip

If you start enrollment and abandon it partway (close the tab, click Cancel), Verinode automatically clears that unfinished credential the next time you click "Set up two-factor authentication," so you never end up with a stale, half-enrolled factor sitting in your account.

Vault Key

Your Vault Key is the encryption key behind the sensitive parts of your Verinode account: client and job details, contact information, anything in the "personal details" category for your customers and your team. Verinode's own description on this page: it "protects your customers' and team's personal details with a key we don't store in a form we can read." That's a deliberate design choice, not a compliance checkbox: Verinode is built so that even Verinode cannot casually read your encrypted data. Recovering it requires your password, which is why the Vault Key card sits right next to Change Password on this page.

The section renders one of two ways, depending on whether your account already has a Vault Key provisioned.

If you don't have a Vault Key yet

Operators who signed up before Verinode's Vault Key system shipped won't have one automatically. In that case the section shows a Set up your Vault Key button instead of the usual View/Download controls, with this description: "Your Vault Key is the durable copy of the key that protects the encrypted parts of your account. Set it up now to enable encryption on your sensitive data. The key is generated once; we never store it in a form we can read."

  1. 1Click Set up your Vault Key. A Confirm your password field expands inline.
  2. 2Enter your current password and click Generate Vault Key.
  3. 3Verinode verifies your password, confirms you don't already have a vault on file, and generates a brand-new Vault Key tied to your account.
  4. 4The key appears immediately in a reveal panel (see below), along with the note: "Save this somewhere durable. A password manager. A printed copy in a safe. Both. After this, View and Download CTAs replace this panel."

Once generated, the Set Up panel is replaced on your next visit by the standard View/Download controls described below.

Possible errors during setup: "Please enter your password." (blank field), "Incorrect password. Please try again.", "Your Vault Key is already set up. Refresh this page to see it." (a vault already exists, most likely from a second attempt), "You have been signed out. Please sign in again.", and a generic "Setup failed. Please try again." for anything else.

If you already have a Vault Key

The section shows the same description ("Protects your customers' and team's personal details...") plus two buttons:

  • View Vault Key
  • Download Verinode Membership

Both open the same password-confirmation dialog, titled "Confirm your password to view your Vault Key," with the note: "Your data is yours. We don't store this key in a form we can read. Confirming your password unlocks it on this device for 30 seconds."

  1. 1Enter your password in the dialog.
  2. 2Click Show Vault Key to reveal the key in place, or Download Verinode Membership to download a PDF copy instead. Cancel closes the dialog without either.
  3. 3If you click Show Vault Key, the dialog's title changes to "Your Vault Key" and displays the key itself in a monospace, chunked format (broken into readable groups rather than one long unbroken string) alongside a short Fingerprint, a shortened identifier for the key that support can use to confirm you're looking at the right one without you ever having to read out the full key.
  4. 4A Copy button copies the key to your clipboard. A live countdown reads "Hides in {n}s" and counts down from 30 seconds.
  5. 5Click Hide to dismiss it early, or just wait: the key automatically disappears when the countdown reaches zero, or the moment you switch away from the browser tab (Verinode treats a tab-blur the same as an active hide, so a screen left open on your desk never keeps the key visible).
  6. 6If you click Download Verinode Membership instead, Verinode streams a PDF (named verinode-membership.pdf unless your browser suggests otherwise) straight to your downloads, with no on-screen reveal step at all.

Heads up

The Vault Key only stays visible for 30 seconds and disappears the instant you leave the tab. Have your password manager or a safe place to paste it ready before you click Show Vault Key, or just use Download Verinode Membership and keep the PDF somewhere durable instead.

Errors you might see in the password dialog:

  • "Incorrect password. N attempt(s) remaining before lockout.", wrong password, with a live countdown of attempts before a cool-off.
  • "Too many failed attempts. Try again at {time}.", you've hit the lockout threshold; the form disables itself until the stated time.
  • "You have been signed out. Please sign in again.", your session lapsed.
  • "We could not find your account. Please contact support.", no operator record resolved.
  • "Your Vault has not been set up yet. Please complete onboarding.", shouldn't appear if the page correctly detected no vault, but covers a race condition.
  • "Your seat is not yet activated for the Vault. Ask the operator owner to log in once to finish setup.", this appears for a teammate whose individual encryption access hasn't been wired up yet; having the account owner sign in once resolves it.
  • "Only the account holder can reveal the Vault Key. Ask your billing contact to share it.", see below.

If you're not the account holder

Revealing or downloading the master Vault Key is restricted to the account's billing contact (the account holder), with an admin as fallback if no billing contact is on file. Everyone else on the account still has full, ordinary access to their encrypted data day to day; this restriction is purely about who can pull the master recovery key itself. If you're not the account holder, the View/Download buttons are replaced with this note: "Your account holder holds the recovery Vault Key. You have full access to your encrypted data. To view or download the Vault Key itself, ask your billing contact."

Note

While the page is confirming your access level, it briefly shows "Loading…" next to the key icon. That's normal and resolves in a moment; it's there specifically so a teammate who doesn't have reveal rights never sees the View/Download buttons flash on screen before being hidden.

Best-practice example

Say you're the account owner at a two-person operator team. Start with Two-Factor Authentication: set it up on your own login first, since it's the single highest-leverage security step available here. Then check Vault Key: if the section still shows "Set up your Vault Key," generate it now rather than leaving your business's sensitive data on the older, unprotected path, and download the Verinode Membership PDF the moment it's generated so you have an offline copy before the 30-second reveal window closes. Finally, the next time you change your password (routine hygiene, or because you suspect it leaked elsewhere), do it here rather than through your password manager's browser autofill alone. Verinode's Change Password form is the only path that keeps your Vault Key wrapping in sync with your new password; changing your password anywhere else (there isn't another path in Verinode, but this is worth knowing) would risk locking your own vault.

Data sources

Data sources

  1. 1.Your password and two-factor credential. Your sign-in session.
  2. 2.Your Vault Key and its recovery wrapping. Verinode's vault infrastructure.

Related: Connecting your data covers what starts flowing in once your account is set up and secured. How benchmarks work explains what happens to your data once it's anonymized and contributed to the peer intelligence layer that your Vault Key is, in part, protecting on the way there.

Was this helpful?