diff --git a/userland/aws.el b/userland/aws.el
index c4a16cf..3137ff2 100644
--- a/userland/aws.el
+++ b/userland/aws.el
@@ -43,13 +43,39 @@
 (defvar aws-reauth-timer nil
   "The reauth timer, if created.")
 
+(defun aws--login (role)
+  "Internal login function --- handles the command as a process, and prompts for MFA."
+  (let* ((process-name (format "%s-%s" aws-cli-auth-provider (replace-regexp-in-string "[/:]" "-" role)))
+	 (buffer (get-buffer-create (format "*%s*" process-name)))
+	 (prompt-regexp (rx (or "Enter verification code")))
+	 (prompt-sent nil))
+    (with-current-buffer buffer
+      (erase-buffer))
+
+    (make-process
+     :name process-name
+     :buffer buffer
+     :command (list aws-cli-auth-provider "login" "--force" "--skip-prompt" "--role" role)
+     :filter
+     (lambda (proc output)
+       (with-current-buffer (process-buffer proc)
+	 (goto-char (point-max))
+	 (insert output)
+	 
+	 (unless prompt-sent
+	   (let ((buffer-contents (buffer-string)))
+	     (when (string-match-p prompt-regexp buffer-contents)
+	       (let ((token (read-passwd "MFA token: ")))
+		 (process-send-string proc (concat token "\n"))
+		 (setq prompt-sent t))))))))))
+
 (defun aws-sign-in ()
   "Sign in with AWS."
   (interactive)
   (let* ((role (completing-read "AWS Role: " aws-roles))
 	 (auth-fn (lambda ()
 		    (message (concat "Authenticating with " role " via " aws-cli-auth-provider))
-		    (shell-command (concat aws-cli-auth-provider " login --force --skip-prompt --role " role)))))
+		    (aws--login role))))
     (funcall auth-fn)
     (when aws-auto-reauth
       (setq aws-reauth-timer (run-at-time t (* 60 aws-auto-reauth) auth-fn)))))