Convenience will beat security if given the chance. Users compromise security with work-arounds for security practices that are inconvenient. We design systems that are reliant on our functional definition of a trusted user. All too frequently we have invited a trusted user into our network with our user-friendly environment. That trusted user is a hacker. Hackers function best when they cloak themselves with the credentials and privileges of the legitimate and trusted user.
Placing any security function reliance upon the user creates an inherent--and all but unavoidable--vulnerability. Users function in physical space, not in digital space. It is unreasonable to assume that the user can make the transition from analog space to digital space.
Digital security should be a purely digital function.
The analog component (the human user) is a prime and easy target for the attacker. There is no functional need for a human component in network security! When thinking about network security we should separate the security of the network from the information that travels on the network.
After all, we don't rely on train passengers for the safety of the train tracks.
Humans do not travel on the network. They exist 100% outside of the network--both physically and informationally. Human users are identified with privileges, accounts, and initial device login. Those functions should be isolated from network security.
With users removed from network security, the major vulnerability is also removed. QWERX is hard at work on device-to-device authentication which does just that: provides secure authentication without user involvement and without user vulnerability.