You just need to couple the keys to something tangible. But the truth is that every system can by bypassed if you spend enough effort. The only question is when it becomes enough hassle so that it doesn't disrupt ordinary people's lives. Not even facebook cared about enforcing https until someone made a browser plugin that let everyone steal cookies.
