Re. Its working already
Doesn't FB already have a "No giving out passwords" aka "No password sharing" policy?
Simple fix, warrant canary. Have the software look (as is routinely done on Twitter) for geographically implausible logins, and if seen it assumes the password has been compromised and requests additional ID.
Caveat: forging an IP address is trivial but forging an IMEI/IMSI/etc takes a lot of effort.