There’s a fine line between protecting against suspicious, malicious, or unwanted activity and making users jump through hoops to prove themselves.