This is probably the best way to stop it from being automated. As well as a verified form of 2FA like a phone or email code.