I totally agree with you, except that asking users multiple times for their password will increase password fatigue. It may be argued that we could prefer the users to mindlessly click on Yes when a popup arises, instead of mindlessly inputting their password. Another option can be timers on the Yes button (like Firefox does), it blocks a few user interface hijacking attacks and gives the user an opportunity to think before they click.