[wileydragonfly]

Well, it doesn’t help matters when CIOs berate us at town halls “the entire company blew up literally because someone clicked ONE LINK they shouldn’t have!!!!” and I’ve sat through many of those “blame the user” sessions.

Two factor has resulted in similar berating. “How dare someone click APPROVE at 2am?!” Well, they were trying to silence the phone when they were attempting to sleep. Why are you allowing pushes outside of business hours without an additional layer of security? Maybe that giant APPROVE button isn’t the best default option at 2am?

[gregjor]

Sometimes you can't win. I worked on a site that had what I call a punitive UI -- buttons and links that would throw up a modal alert telling users they shouldn't have clicked on that. When I started changing the UI so users didn't see controls/links they shouldn't click on, users complained that "the web page changed," as if they had memorized exact pixel locations and I caused their confusion. Pigeons pecking at the green dot.

Numerous studies tell us that people don't read web pages, or don't read much of the text on the page. A big "click here" helps in that case, a call to action as another commenter wrote. As long as the page or email just has one call to action.