This doesn't work very well, either. Case in point, one organization secured their systems with the RSA SecureID tokens. That's just a key fob with a 6 digit number that changes every minute. You add that 6 digit number to a 4-8 digit pin you set and you've got a two factor solution that's generally pretty solid. But you still want to keep the key fob separate from say, the laptop, even though there is that PIN.

What did the organization's security folks find? A sales rep had bought one of those keychain rings and managed to thread the power cord of the laptop through it. On that keychain was, you guessed it, the SecureID token. What made it all the worse is that the sales rep had started spreading how to do this to other reps.

There's a picture of that somewhere on the Internet. But basically like you said, awareness is really the only answer. The catch is to hit enough where they are well informed but not so saturated they just tune anything new out.