[DominikR]

I do not think that every mechanism you proposed is viable, but generally I think you nailed it with this:

> Facebook should look closely at whatever attacker they are trying to lock out, and make several methods of ownership verification available. Maybe require two?

We might already see that, at least I have been prompted to validate once via email and once via text message before.

And then there are those questions Facebook asked me about some of my friends (do you know this person, is he/she real) which are obviously related to account verification in some way.

I also agree that it isn't smart to ask for IDs after all those NSA revelations.