I think that this is a great idea, but there will need to be a few things in place to make it secure enough for use.
- Only friends that communicate "a lot" should be able to report it (and not repeatedly).
- If the account's password was compromised, then the attacker will enter the account recovery flow on next login attempt. So the AR flow will need to ensure that the user is not the attacker (SMS and e-mail that are trusted, based on age and usage, is pretty good).
But why not just create a system that will alert the user when a successful login was made from a new device on their account? And include an account lock link in the e-mail, so they can quickly lock their account from anywhere with cell phone access.
- Only friends that communicate "a lot" should be able to report it (and not repeatedly).
- If the account's password was compromised, then the attacker will enter the account recovery flow on next login attempt. So the AR flow will need to ensure that the user is not the attacker (SMS and e-mail that are trusted, based on age and usage, is pretty good).
But why not just create a system that will alert the user when a successful login was made from a new device on their account? And include an account lock link in the e-mail, so they can quickly lock their account from anywhere with cell phone access.