https://twitter.com/MalwareJake/status/1034869713103474688

https://medium.com/@stuartschechter/before-you-turn-on-two-factor-authentication-27148cc5b9a1

https://www.nspw.org/2009/proceedings/2009/nspw2009-herley.pdf

Cormac Herley from Microsoft Research wrote a seminal paper on this topic back in 2009:

It is often suggested that users are hopelessly lazy and unmotivated on security questions. They chose weak passwords, ignore security warnings, and are oblivious to certificates errors. We argue that users’ rejection of the security advice they receive is entirely rational from an economic perspective. The advice offers to shield them from the direct costs of attacks, but burdens them with far greater indirect costs in the form of effort.

If it’s too much hassle to follow a security policy or to use a system correctly, people will work around it. This is especially true if they don’t appreciate the requirement or understand why it’s necessary.

They simply disagree with the trade-off you’ve made, and they’re correcting it for you.