Not necessarily the USER. The user's DEVICE, yes, but not the user him/herself, and that's significant because the user may not necessarily have access to his/her own device (particularly the internals, think a black-box cryptoprocessor). The material is there, and the algorithm is known, but if the key is not presented in a way that the user can easily reach, then it's still a pretty tight system: like a peep show (look but don't touch).

