you could add to the list: A way to bind your account to a BTC address automatically from the user profile, plus at the login an option to recover your account, all done by signing/verifying random messages.
I understand they are going through each account manually checking messages and in detail that everything make sense, but doesn't look like this is sustainable anymore given the amount of accounts hacked we are seeing lately.
Doesn't really prevent accounts being sold, and then claimed back though. I'm not sure what the forums stance on selling accounts, and who the rightful owner is, but I assume that they would look for information that might indicate that the account was sold, and see if the credential changes link up to that too. Account recoveries can never be automatic.