diff --git a/sso-mfa/k8s/keycape/refresh-pi-token-live.sh b/sso-mfa/k8s/keycape/refresh-pi-token-live.sh
index 5edf52f..c9db65e 100644
--- a/sso-mfa/k8s/keycape/refresh-pi-token-live.sh
+++ b/sso-mfa/k8s/keycape/refresh-pi-token-live.sh
@@ -24,8 +24,15 @@ KEYCAPE_DEPLOYMENT="${KEYCAPE_DEPLOYMENT:-keycape}"
 KEYCAPE_SECRET="${KEYCAPE_SECRET:-keycape-config}"
 KEYCAPE_TOKEN_SECRET="${KEYCAPE_TOKEN_SECRET:-keycape-pi-token}"
 
-read -r -s -p "privacyIDEA pi-admin password: " PI_ADMIN_PASSWORD
-printf "\n" >&2
+if [[ -r /dev/tty ]]; then
+    printf "privacyIDEA pi-admin password: " > /dev/tty
+    IFS= read -r -s PI_ADMIN_PASSWORD < /dev/tty
+    printf "\n" > /dev/tty
+else
+    printf "privacyIDEA pi-admin password: " >&2
+    IFS= read -r -s PI_ADMIN_PASSWORD
+    printf "\n" >&2
+fi
 if [[ -z "$PI_ADMIN_PASSWORD" ]]; then
     echo "[FAIL] Empty pi-admin password." >&2
     exit 1
diff --git a/tools/security-bootstrap-console/security_bootstrap_console.py b/tools/security-bootstrap-console/security_bootstrap_console.py
index dcd3e0d..632e73d 100755
--- a/tools/security-bootstrap-console/security_bootstrap_console.py
+++ b/tools/security-bootstrap-console/security_bootstrap_console.py
@@ -1408,11 +1408,9 @@ def admin_identity_command_payloads(data: dict[str, Any]) -> list[dict[str, str]
     if refresh_pi_token_state == "blocked":
         refresh_pi_token_reason = "Configure OpenBao OIDC auth before repairing the MFA check path."
     refresh_pi_token_command = (
-        "bash <<'NETKINGDOM_KEYCAPE_PI_TOKEN_REFRESH'\n"
         "set -euo pipefail\n"
         f"cd {keycape_dir}\n"
         f"KUBECTL={kubectl_bin} bash ./refresh-pi-token-live.sh platform-root\n"
-        "NETKINGDOM_KEYCAPE_PI_TOKEN_REFRESH\n"
     )
     login_command = (
         "# Terminal 1: bridge the browser callback to the bao CLI running in the OpenBao pod.\n"