The Louvre’s lesson: Security must work with human nature

Notorious hacker Kevin Mitnick famously said the weakest link in any security chain is the human element. Unfortunately, the staff at the Louvre have proved him right.

The revelation that the security system password for the world-famous museum had once been LOUVRE was jaw-dropping. It was an astounding act of negligence.  

Yet the choice also reflects something very human. In a busy moment, it is all too tempting to choose a password simply because it is familiar and requires no effort to remember. Whether people are working with priceless artifacts or in an office environment, they are often trying to move quickly and get their work done without extra steps slowing them down.

Hurdles aren’t helping

The data backs this up. A 2024 report by Verizon found human error was implicated in 68% of data breaches. In the past, the response to security incidents tended to involve placing another hurdle between people and the places or data they want to access. That’s how we ended up with the familiar corporate toolkit of swipe cards, access codes, passwords and multi-factor authentication.  

These systems add friction and overlook how people actually work. When security is slow or cumbersome, people start to take shortcuts. If someone forgets their badge and has to wait 20 minutes at the concierge desk for a temporary one, it is easy for human behavior to drift toward convenience, like borrowing a colleague’s badge instead.

We need human-centric security

What’s needed, and what’s becoming possible, are security systems that are designed around how people actually behave, not how engineers wish they did. Human-centric security makes spaces safer by making access effortless and using smart technology to identify and respond to threats.

Examples of these technologies include:

• Passwordless authentication and passkeys. Device-bound or synced passkeys protected by fingerprint, face or PIN eliminate the need to remember passwords and are far more resistant to phishing and credential theft.
• Mobile and wearable credentials. Access cards can be added to phone or watch wallets, reducing the likelihood users will forget or lose their badge as it’s on a device they already protect carefully.
• Intelligent access points. Doors equipped with facial authentication enable users to move through workplaces seamlessly, eliminating the need to fumble with ID badges. Safeguards such as tailgating alerts provide an additional layer of security for moments when workers forget to secure a door behind them.  
• Risk-based access. AI analyzes patterns such as time, location and user behavior to decide how much verification is needed for every access request. Normal activity stays fast and easy. Unusual access attempts may trigger an extra step like providing a PIN or secondary credential.

If most breaches involve people, then the lesson is clear. Security has to be designed with human behavior at the center, not in spite of it. The more we make the secure action the easiest one, the less often humans will be the weakest link.