Good security does generally not rely on a single measure. The service provider not doing this in the first place is good, but the user (also) having a second line of defense is objectively better, although it may incentivize poor behaviour of SPs.