you could add to the list: A way to bind your account to a BTC address automatically from the user profile, plus at the login an option to recover your account, all done by signing/verifying random messages.

I understand they are going through each account manually checking messages and in detail that everything make sense, but doesn't look like this is sustainable anymore given the amount of accounts hacked we are seeing lately.