---
title: "Can Web Governance do a scan on my site through my two-factor authentication (2FA)?"
date: "2026-04-10T07:04:24+00:00"
summary:
image:
type: "article"
url: "/web-governance/help/97091-can-web-governance-do-scan-my-site-through-my-two-factor-authentication-2fa"
id: "3e1f6350-c808-4a0e-97a9-f9c026f14baa"
---

Answer
------

No.

The Web Governance crawler cannot bypass two-factor authentication (2FA).

Reason
------

A crawler can automate the input of static credentials (username and password) but it fails at the 2FA stage for several key reasons. 

*   Most 2FA methods rely on a physical devices such as a smartphone, hardware token, or SIM card. The crawler cannot physically access the output, such as the SMS message, the TOTP code generated by an app like Google Authenticator, or a biometric prompt sent to a mobile device.
*   The authentication codes for the 2FA time out very fast, so this is does not really work with the crawler. A crawler essentially lacks the physical presence required to bridge the gap between the digital login page and the secondary, private communication channel where the 2FA token lives.
*   As 2FA is literally designed to prevent bots from authenticating, most 2FA providers (like Duo, Okta, or Akamai) include secondary layers for this. They prevent login attempts that seem to be made by robots (as opposed to humans) based on perfectly timed keystrokes which are unnatural for humans, lack of mouse movement or "headless" browser signatures and IP addresses associated with data centers rather than residential ISPs.

Solution
--------

Acquia recommends that you try to turn off 2FA for the Web Governance crawler by allowlisting the Web Governance IP address, although this method may not work with all configurations. Contact support for assistance.

Additional resources
--------------------

For more information, visit [How to do a scan on password-protected and internal pages](/node/58566).