I've seen this on some bank websites, that display a user-selected picture after giving them your user ID. I guess that is so the user can verify that they are talking to the legitimate site.
I've never understood why this is seen as a form of verification. What is stopping a phishing site from simply taking a victim's username and fetching the victim's corresponding image from the bank's website via simple scraping?
This also provides zero additional security for the end user. Offering security questions and/or images that a user selected does not prove that the site is legitimate, since a phishing site can literally be a reverse proxy to your bank's website that just logs all form values. You can accomplish this in < 15 lines of nginx configuration.
Adding "verification images" or security questions that you set up does not prove that a site is legitimate. A successfully established HTTPS connection to the bank's domain is necessary and sufficient to guarantee authenticity (and most banks use EV too, which browsers make extra obvious).
Users should be trained to look at the URL bar for the green EV indicator, instead of being trained to believe that a site is legitimate simply because it displays a picture that they select. Banks that encourage this behavior are actively encouraging users to become even more gullible to well-crafted phishing attacks.
I believe it is there so that you don't accidentally lock someone else out of their account if you enter in your username incorrectly (which I have done!)
I had an account with ING Direct and when I created it they asked me what I would like to name it, so I simply entered "checking". Little did I know that you could also use that name as your login name (I always logged in using my account #, I thought the account name was just for display).
Took a few weeks to figure out why I kept getting locked out. Turns out the username "checking" is a pretty popular guess.