> Shoulder surfing and weak passwords are both something you can control at any time.
How, exactly? And "require users to watch out for shoulder surfing and use strong passwords" does not count.
Any chance you are thinking about pretty specific circumstances here (security-aware, technical employees generally not having to enter passwords in public spaces)?
I don't understand why you wouldn't think those count. At some point security rests upon the discipline and good judgment of the person with information to secure. I don't believe you can make a technological system which offers perfect security and perfect convenience. Biometrics are very convenient, but can be exploited by force. Strong passwords and environmental awareness (of snoopers) are quite robust, but at a considerable loss of convenience.
How, exactly? And "require users to watch out for shoulder surfing and use strong passwords" does not count.
Any chance you are thinking about pretty specific circumstances here (security-aware, technical employees generally not having to enter passwords in public spaces)?