said by anon user :
What is the security risk of that?
On the other side of that...
It adds a layer of authentication, as in a 2 factor challenge if it's in addition to just using a registered email address to send a password token.
Using a hijacked email account to get access to different password protected sites is a daily occurrence.
This policy would eliminate or at least slow down an account hijacking depending on the strength of the security challenge Q & A's.