"Social authentication" - old news
The photo-based authentication has been in place for several months at least -- I was on holiday in November and when I logged on from Cybercaffs it said I'd connected from a new location and had to verify myself.
You're presented with several pics of the same person (I can't recall the exact number), drawn seemingly at random from tagged photos and a selection of several friends' names to chose from. This happens 4 or 5 times, and you're given the option to skip (I think you get 3 chances to skip) just in case the photos are bad or it's someone you don't really "know" know.
It's a sensible system, but there's two little flaws.
1) It seems to select very strongly connected people (one of my brothers or sisters was always included) so if the attacker knows you at all, he's likely to know these people. Of course, this is because they're trying to make it easy for *you* to recognise them, but hey-ho...
2) Judging by the wording of the message, it's about registering the location the first time you connect from there, so if you're in an unscrupulous cybercaff, the same people who sniff your login details will have access to the terminal/subnet/geographic location (whatever it is that Facebook considers a location) you used to connect, which will now (presumably) be whitelisted by Facebook.
It's a step in the right direction, but they've got a very, very long way to go yet....