This is unfortunately not robust against phishing which is for most users the bigger risk IMO (not necessarily power users, but I'd argue that most power users are too sure about themselves in this regard). It's always a question about the threat vectors and this weight you give them.