Yeah, the question is really which potential harm is larger: unauthorized access, or the possible failure of authorized access? Then you need to ensure the system is more likely to fail in the less dangerous direction.

Sounds like physical keys do that.