Location data
"..showing users what application they're signing into and the location of the device, based on its IP address, that is being used for signing in"
I think this can be counter productive. I'm often asked to verify that I'm logging in from Australia (a big place so not that helpful), or from Melbourne or Sydney (300km, 800km away respectively), Location by IP address is very hit or miss in Australia.
I understand this and can ignore the silly messages. I only verify when I'm sitting next to the computer and am causing the alert process.
Most computer users are at least a little less IT literate than me. Telling them they are being attacked by somebody 800km away will often not end well. In the end-user mind, telling somebody to ignore some details in a message is the same as telling them to just confirm every message. The topic of this article.
A further problem occurs when some installed software connects to the mothership at system start up, causing verification messages when the user isn't expecting them.
I like the idea of entering a code from the SMS message to complete the loop properly, even if I sometimes have to ring the guy who was previously in my job to get the verification code. His yacht is normally in range so this isn't much of a problem.
I don't think good reliable authentication is anywhere near a solved problem yet.
Biting the hand that feeds IT
