Re: Photos?
Better question:
How this is any easier or better than:
"A user at IP x.x.x.x just tried to log into your account. If this is you, please press Accept. Otherwise press Reject"?
Because, for sure, I can't think of anything else that would make a difference between those systems. "I could send you a fake request with a fake IP"? If I didn't request login, why would I press it. And if I got four or five logins at the same time as I login, then honestly you're compromised anyway because someone KNEW you were logging in at that point.
And any serious usage of both systems is likely to be hindered by automated spam after a while. After the tenth incident of someone not you trying to log in, you're just going to turn the feature off to stop it bothering you.
A compromised device is game over anyway. They might not be able to fake the photo but they'll just wait until the photo is from you and then intercept it to gain your login or whatever.
I don't think this is anything new, groundbreaking, or useful over system that already exist (like just getting an email / notification whenever I access my account - even my server host does this "You just logged into your manager control panel. If this was not you...").
Biting the hand that feeds IT
