Updated 18 May 2026

Account Security

Two-factor authentication for VeraCita. Recommended for anyone handling confidential, privileged, or regulated materials.

What is two-factor authentication?

Two-factor authentication (2FA) adds a second verification step when you use VeraCita. Logging in with your password is the first factor -- something you know. The second factor is a 6-digit code from an authenticator app on your phone -- something you have.

Even if an attacker obtains your password, they cannot access your account without also having your phone. For accounts that handle confidential documents -- legal briefs, regulatory submissions, unpublished research -- this materially reduces the risk of unauthorised access.

VeraCita 2FA uses the TOTP standard (RFC 6238): a 6-digit code that changes every 30 seconds, generated offline by your authenticator app. No SMS. No codes sent by email. No dependency on VeraCita's servers to produce the code.

Why we recommend enabling it

VeraCita processes citations in documents that may be confidential or privileged. If your account password is exposed in an unrelated breach (credential stuffing is the most common attack vector), an attacker who logs in could:

2FA eliminates this class of attack. A stolen password alone is not sufficient to log in.

Particularly recommended for: law firms, research offices, regulatory affairs teams, and anyone uploading draft documents that are not yet in the public domain.

How to enable 2FA

Step 1 -- Get an authenticator app

You need a TOTP authenticator app on your phone. Any of these work:

Google Authenticator
iOS + Android. Free.
Authy
iOS + Android. Cloud backup available.
1Password
iOS + Android + Desktop. Paid.
Bitwarden
iOS + Android + Desktop. Free / paid.

If you already use a password manager that supports TOTP (1Password, Bitwarden, Dashlane), you can add VeraCita there -- no separate app required.

Step 2 -- Open account settings

Log in to VeraCita and navigate to Account → Security. You will see a section titled "Two-Factor Authentication" with the current status (Disabled by default).

Screenshot placeholder
Account → Security → Two-Factor Authentication section (v1 screenshot pending)

Step 3 -- Scan the QR code

  1. Click "Enable Two-Factor Authentication".
  2. A QR code appears on screen. Open your authenticator app and tap the "+" or "Add account" button.
  3. Point your phone camera at the QR code. The authenticator app registers VeraCita and starts generating 6-digit codes.
  4. Enter the current 6-digit code from the app into the confirmation field on screen, then click "Confirm".
  5. 2FA is now active on your account.
Screenshot placeholder
QR code setup screen with confirmation code entry field (v1 screenshot pending)

Step 4 -- Save your recovery codes

Immediately after enabling 2FA, VeraCita generates 10 single-use recovery codes. Download them as a text file (veracita-recovery-codes.txt) and store them somewhere safe.

Recovery codes are your only fallback if you lose your phone. If you do not save them now and later lose your authenticator device, account recovery will require contacting support.

Download your recovery codes before closing this screen. They are shown only once. Store them in a password manager, encrypted notes app, or printed in a physically secure location -- not in email or unencrypted cloud storage.

How 2FA works day-to-day

Once enabled, 2FA is prompted when you initiate a verification run -- specifically at the moment you click "Verify Claims" for the first time in a session.

A modal appears asking for your 6-digit code. Open your authenticator app, read the current code (they refresh every 30 seconds), and enter it. The verification proceeds immediately on success.

Screenshot placeholder
2FA challenge modal with 6-digit code entry (v1 screenshot pending)

The 8-hour session window

After a successful 2FA challenge, you are not prompted again for 8 hours within the same browser session. You can run multiple verification jobs without re-entering the code each time.

The 8-hour window resets if you:

What the 6-digit code is

The code is generated entirely by your authenticator app -- VeraCita's servers are not involved in producing it. The code is valid for 30 seconds, then replaced by the next code. Enter whichever code your app currently shows. If the code is about to expire (the timer icon shows <5 seconds remaining), wait for the next code rather than risk a timing error.

Recovery: what to do if you lose your phone

If you no longer have access to your authenticator app, use one of your 10 single-use recovery codes to log in.

  1. On the VeraCita login screen, enter your email and password as normal.
  2. When the 2FA prompt appears, click "Use a recovery code" below the code entry field.
  3. Enter one of your 10 recovery codes exactly as saved (hyphenated, all lowercase).
  4. You are logged in. VeraCita immediately prompts you to set up a new TOTP device -- complete setup before continuing.
  5. The code you used is invalidated. Your remaining codes are unchanged.

Each recovery code can only be used once. After use it is gone. If you run low on codes (or use the last one), generate a fresh set from Account → Security → Regenerate recovery codes. The old set is immediately invalidated when you regenerate.

Where to store recovery codes

If you lose both your phone and your recovery codes

Contact support@veracita.ai with your account email and a description of the situation. Account recovery requires manual identity verification and may take up to 2 business days.

Disabling 2FA

You can disable 2FA at any time from Account → Security.

  1. Navigate to Account → Security.
  2. Click "Disable Two-Factor Authentication".
  3. A confirmation modal appears. Click "Yes, disable".
  4. You must enter your current 6-digit TOTP code to confirm. This prevents an attacker who has accessed your browser session from silently disabling your 2FA.
  5. 2FA is removed. Your recovery codes are invalidated. You can re-enable at any time.

Disabling 2FA is immediately effective -- no delay, no email confirmation. If you disable it and believe the action was unauthorised, contact support@veracita.ai immediately.

Common questions

Is 2FA required?

No. 2FA is optional. We strongly recommend it for accounts handling confidential or privileged documents, but it is your choice. See the Terms of Service for the liability framing when 2FA is not enabled.

Does 2FA protect my documents?

2FA protects account access. For document-level privacy, VeraCita uses Zero-Knowledge mode by default -- your documents go directly from your browser to our AI provider without transiting VeraCita's servers. These are complementary layers: 2FA prevents unauthorised login; ZK mode prevents server-side document exposure. Read more on the Privacy Architecture page.

Can I use hardware security keys?

Not in the current release. WebAuthn hardware key support (YubiKey, etc.) is planned for a future version.

Can workspace admins require 2FA for all members?

Per-workspace enforcement ("admin-required 2FA") is planned for the institutional tier. In the current release, 2FA is user-controlled.

Will 2FA affect my API access?

API keys authenticate separately from the browser session. The 2FA challenge applies to browser-based verification runs, not to programmatic API calls authenticated by key. API key management is available in Account → API Keys.

Security questions and support

For account security questions or recovery requests, contact support@veracita.ai.

For security vulnerability disclosures, contact security@veracita.ai.

MindtheGap Sarl, Geneva, Switzerland.