I wonder what heuristics determines "last location". If it's geo-ip then it's ripe for "10 years later that ip is now somewhere else"
It's probably a synonym for a join over geo, ip, cookie state on a browser or physical device a decade back when the OP last logged in.
If the account had some declared financial worth eg bitcoin key info, I could see a civil suit forcing function but aside from that lever I think it's possible the public shame lever won't work after 10 years idle time.
Keep logging in folks, even with redirection. Enable 2fa and get backup keys printed.
I agree with your assertion that the trustworthiness of cryptography based second factor is greater than recovery email, however since no such token has been defined, deduced location overriding recovery email is still a big wtf that should stop.
Public shame (awareness) is perhaps half of the reason, not trying super hard here otherwise I'd pick better time of submission etc :) The other half is amusement, and perhaps hoping some security SME would talk about nuances that I don't know I don't know.
It's probably a synonym for a join over geo, ip, cookie state on a browser or physical device a decade back when the OP last logged in.
If the account had some declared financial worth eg bitcoin key info, I could see a civil suit forcing function but aside from that lever I think it's possible the public shame lever won't work after 10 years idle time.
Keep logging in folks, even with redirection. Enable 2fa and get backup keys printed.