I like your approach to 3. I've thought a lot about phishing lately, because it's only a matter of time when your users will 'lose' their credentials. Secret pictures etc, ssl certs, etc are all indicators that you're on the right page - but not more than indicators.
We’re a place where coders share, stay up-to-date and grow their careers.
We strive for transparency and don't collect excess data.