← Blog

Can AI Agents Handle Two-Factor Authentication?

Yes — with a human in the loop. How computer-use agents handle 2FA, MFA codes, and CAPTCHAs on financial portals: 1Password injection, takeover mode, and a dedicated code inbox.

Yes — but not by bypassing it. A well-designed computer-use agent treats 2FA the way a regulated firm would want it treated: credentials are injected from a password manager the humans control, emailed codes flow through a dedicated agent inbox, and anything the agent can't clear — a CAPTCHA, a push approval, a security question — hands control back to a person, then resumes.

This is the first question we get in almost every conversation with an operations or technology leader. A CIO at a multi-billion-dollar hedge fund opened with it before we'd finished introductions: "How do you deal with two-factor authentication? If you guys solve that, we're cooking." An operations leader at a large family office put it the other way around: "You have no idea how many times I've talked to a tech company and they're like, oh, we could automate it — but there's two-factor."

It's the right question. Two-factor prompts are exactly where portal automation projects have died for a decade — and where RPA scripts still die today.

Key takeaways

  • Agents don't need to see passwords to use them. Credential injection from a password manager (we integrate with 1Password) means the agent triggers a login without the secret ever entering its context.
  • Emailed one-time codes are solvable with plumbing, not magic: forward them to a dedicated inbox the agent monitors, and the code gets applied like any other on-screen step.
  • CAPTCHAs and push approvals are a feature boundary, not a failure: the agent flags the prompt, a human clears it on the shared screen, and the run resumes.
  • Be suspicious of vendors who advertise agents that silently defeat MFA and CAPTCHAs. Those controls exist to stop unattended machines. An agent built for a regulated firm should work with your authentication controls, not around them.

How does an agent log in without seeing the password?

The agent never holds credentials. Passwords live in a vault your team manages — in our case, a 1Password integration — and are injected at the login step. The agent knows that it logged in; it never knows what the password was. Rotating a credential is a vault update, not an agent retraining. Sharing a credential with an agent is revocable the same way sharing with an employee is.

This matters for more than hygiene. Under SEC and FINRA expectations for third-party access, "we gave the bot a spreadsheet of passwords" is an audit finding. "The agent authenticates through the same vault our people use, with per-agent scoped credentials and every action logged" is an answer a compliance officer can write down.

What happens when a 2FA code is required?

Most financial portals deliver one-time codes by email or authenticator app. For emailed codes, the clean pattern is a dedicated agent inbox: the code notification is forwarded to an address the agent monitors, it reads the code, and enters it on screen — the same steps a person takes, minus the person. For authenticator-app or push-based flows, the run pauses and a human approves.

The point isn't that the agent clears 100% of authentication autonomously. It's that authentication stops being the reason the other 95% of the workflow stays manual.

What about CAPTCHAs?

CAPTCHAs exist to detect unattended automation — so the honest answer is that an agent shouldn't be trying to beat them. When a CAPTCHA appears, our agent flags it and hands over control. Because the agent works on a shared, visible desktop (a cloud computer your team can watch), a human solves the CAPTCHA on screen — a few seconds of work — and hands control back. The takeover is logged like every other action.

We built this collaboration mode early precisely because we knew the agent can't — and shouldn't — do everything alone. The same mechanism that clears a CAPTCHA is the mechanism that pauses for human approval before anything final: a submit, a wire, a filing. It's one design principle applied everywhere: the agent does the work; your team keeps the authority. That principle is the heart of the Agentic Trust Framework we've written about separately.

Why do most automation vendors fail this question?

Two reasons. Traditional RPA runs headless and brittle: a 2FA prompt is an unhandled exception, so the workflow either breaks or someone disables MFA on the service account — which is how automation projects end up weakening a firm's security posture. And some newer vendors advertise the opposite extreme: agents that "bypass" MFA, CAPTCHAs, and token walls entirely. That demos well. But walk it past your security team: an unattended system that defeats the controls your counterparties put up to stop unattended systems is not a story you want to tell an examiner.

The middle path — vault-injected credentials, a code inbox, human takeover for everything else — is less flashy and much easier to approve. In our experience it's also faster to deploy, because it doesn't require exceptions to anyone's security policy.

Is this compliant for a regulated firm?

The pattern was designed for that question. Every agent gets its own identity and scoped credentials; every action — including every authentication event and every human takeover — lands in an append-only audit log built for SEC Rule 204-2 books-and-records review. The agent runs in a whitelisted sandbox with no open internet, with zero data retention and zero training on your data. Your compliance team can reconstruct any session: who authorized it, what the agent did, where a human stepped in. Details are on our security page.


FAQ

Can an AI agent get the 2FA code from Outlook? Yes — the standard pattern is forwarding the code email to a dedicated inbox the agent monitors. The agent reads the code and enters it on screen; the forward rule is something your IT team sets up and can revoke.

Does the agent store passwords? No. Credentials stay in the password manager your team controls and are injected at login. The agent's context never contains the secret.

What if the portal uses an authenticator app or push approval? The run pauses and a human approves — takeover mode is a first-class feature, not an error state. The pause and resume are both logged.

Can it solve CAPTCHAs by itself? It doesn't try. A human clears the CAPTCHA on the shared screen in seconds, and the agent resumes. If a vendor tells you their agent silently defeats CAPTCHAs, ask your security team how they feel about that.

Does human-in-the-loop defeat the purpose of automation? In practice, no. Authentication is seconds of a workflow that otherwise takes an ops team member 45 minutes of downloading, re-keying, and reconciling. The agent does the 45 minutes; your team spends the seconds. For what those 45-minute tasks look like, see the portal work nobody automates.

Raise what your team can do.