CIRCUMVENTION OF SECURITY
Why Users Circumvent Security: Usability vs. Friction in Modern Authentication
Security systems like passwords, 2FA (two-factor authentication), and MFA (multi-factor authentication) exist to protect accounts, data, and infrastructure—but they often introduce friction. That friction can create incentives for users to find shortcuts or bypasses that lower their effective security, sometimes dramatically.
We built an easy to implement authentication upgrade that boosts security and usability all while being efficient and frictionless. A new secure peace-of-mind protection from the Human Threat.
THE PROBLEM
Security Is Perceived as a Usability Burden
Authentication systems are meant to prevent unauthorized access, yet many users see them as barriers to productivity:
Account Overload
Users often struggle with dozens or hundreds of accounts, leading to poor practices like reuse or external storage of credentials.
Low MFA Adoption
MFA adoption remains low in many populations: studies suggest a large portion of consumers don’t use 2FA at all, and even where it’s available, many users resist it.
Frustration & Slow Workflows
Setup, recovery, and frequent prompts for codes create frustration and slow workflows.
“It’s really, really hard to get a user to sign up … it sounds cumbersome.”
Security expert quoted in Forbes about 2FA resistance.
HUMAN BEHAVIOR TENDS TO FAVOR CONVENIENCE--EVEN WHEN IT UNDERMINES SECURITY GOALS:
Common Realities: How Users Actually Deal with Security
Sticky Notes & Written Passwords
42% of IT professionals and around 41% of consumers admit to using sticky notes or other insecure written records to store passwords.
This practice effectively undermines the whole point of secure authentication.
Registered Devices & “Remember Me” Shortcuts
To avoid repeated MFA prompts, many systems offer “remember this device” or “trust this browser” settings. While convenient, these extensions of trust increase exposure if devices are lost or stolen.
​
​Academic research confirms that systems often store persistent device trust cookies to reduce 2FA frequency, inadvertently relaxing important security protections.
MFA Fatigue & Prompt Approval
A documented attack method (“MFA fatigue attack”) works by overwhelming users with approval requests until they simply accept one out of irritation or haste—a direct consequence of too-frequent prompts.
Healthcare Example: Sticky Notes on Workstations
In clinical settings like hospitals, doctors and nurses often place sticky notes on shared mobile carts reading “Don’t log me out” so colleagues don’t have to log in repeatedly between patient tasks. This is a clear case of usability pressure defeating security controls—work efficiency prioritized over protection.
​
This practice is commonly discussed in healthcare usability literature and risk reports.
SECURITY CIRCUMVENTION & THE HUMAN-FACTOR
Why sticky notes and sharing happen
Shared Tasks and Shift Work
Many systems are used by rotating teams, so unique logins for every interaction are seen as impractical. Shared passwords are treated as a pragmatic solution.
Legacy Systems and Poor Single-Sign-On (SSO)
Where single sign-on or fast re-authentication are lacking, repeated logins are frequent and costly.
Urgency and Time Pressure
Clinicians must access systems rapidly to treat patients; any delay can be perceived as risking patient safety. Koppel et al. emphasize clinicians’ “tradeoffs for circumvention.
SECURITY CIRCUMVENTION
Security Bypass in the Wild
Users don’t just circumvent their own authentication—they sometimes invite others to help:
SOCIAL ENGINEERING OF 2FA
Attackers impersonate tech support and trick users into giving up authentication codes directly—bypassing 2FA without technical hacking.
PHISHING GATEWAYS THAT RELAY CODES
Sophisticated phishing kits now capture both passwords and second factors in real-time, effectively neutralizing traditional MFA.
SIM SWAPPING & SMS VULNERABILITIES
SMS-based second factors are vulnerable to SIM swap attacks and network protocol flaws—attacks that require no password or token interception on the user’s device.
WHY THIS HAPPENS: SECURITY IS TOO MUCH FRICTION
Authentication systems often fail on usability:
✔ Users have to remember many credentials.
✔ They are prompted for second factors too often or in inconvenient ways.
✔ Recovery options are complex or unclear.
✔ Consistency across services is poor (different processes on every site).
The Result: These issues create a travesty in which security systems are designed for threats, not humans.
THE WHY BEHIND CIRCUMVENTION
"Reasons" Users Circumvent Security
Circumvention to Reduce Friction
Users circumvent security when authentication processes interrupt their flow of work. Repeated logins, frequent MFA prompts, password resets, and session timeouts force users to stop what they are doing and re-authenticate—often multiple times per day.
To reduce this friction, users:
-
Write passwords down so they don’t have to remember them
-
Enable “remember me” or “trust this device” options
-
Avoid logging out of shared or mobile workstations
These behaviors are not driven by negligence, but by a desire for a smoother, uninterrupted experience.
Circumvention for Productivity
Productivity-driven circumvention occurs when security mechanisms actively interfere with job performance. If security slows down core responsibilities, users will optimize around it.
Common examples include:
-
Clinicians placing sticky notes on mobile workstations asking others not to log them out
-
Knowledge workers keeping sensitive documents open to avoid re-authentication
-
Field workers disabling security features on shared devices to keep operations moving
From the user’s perspective, security becomes something that competes with productivity rather than supports it—so it gets worked around.
Circumvention to Save Time
Time is one of the most valuable resources for any worker. When security workflows add seconds or minutes to routine tasks, those delays compound across a workday.
Users save time by:
-
Reusing passwords across systems
-
Keeping sessions open indefinitely
-
Approving MFA requests without verifying them carefully
-
Sharing credentials in environments where logging in repeatedly is impractical
In high-pressure roles—such as healthcare, manufacturing, logistics, or finance—saving even small amounts of time can feel essential, leading users to bypass security steps altogether
Circumvention as a Preference
Over time, circumvention can become a learned preference. When users repeatedly experience security as frustrating or intrusive, they develop habits that prioritize convenience by default.
This includes preferences such as:
-
Choosing weaker security settings when given the option
-
Opting out of MFA where possible
-
Selecting authentication methods that require the least interaction
-
Trusting devices or sessions indefinitely
When systems allow users to lower the security posture in the name of usability, many will do so—because the system has taught them that security is optional and inconvenient.
FYEO AUTH SOLVES CIRCUMVENTION: SECURITY WITHOUT FRICTION
The Whisper Company’s FYEO Auth is designed to eliminate the tension between usability and security:
Zero-friction user experience
Users authenticate seamlessly without repeated tokens or passwords.
Strong security guarantees
Provides protections that rival or exceed traditional MFA/2FA but without the repeated prompts that cause fatigue and circumvention.
Improved productivity
Users spend less time authenticating and more time working—particularly valuable in fast-moving environments (e.g., healthcare, field work).
How FYEO Auth Works in Practice
Invisible authentication flows reduce cognitive load.
Secure device binding avoids repeated second-factor prompts.
Context-aware trust decisions minimize interruptions while maintaining high assurance.
White-label ready for integration into existing products.
For Companies & Resellers
FYEO Auth SDK Delivers:
✔ A value-added reseller opportunity—enhance current offerings
✔ A white-label solution—rebrand within existing platforms
✔ A competitive edge—better security + better UX
✔ Increased customer satisfaction and retention
FYEO Auth SDK is designed to integrate seamlessly across a wide range of technology ecosystems. Ideal for partners.
Security systems must respect the human element. When they don’t, users take shortcuts—sometimes dangerously so. The most resilient systems are those that sync strong protection with effortless use. With FYEO Auth, enterprises, developers, and users all win—without compromising on either security or efficiency.
