"There is, however, one large problem: What if a person mistypes a password? In that scenario, a fake vault is generated, and a user is locked out of his or her accounts."
This is the weak point - It forces the user, or the system, to generate an additional artifact to inform the user (but hopefully not the attacker) that the password safe is correctly unlocked.
"One possible fix is to create a hash of the master password that is linked to an image that is shown when the password is entered. The authorized user should recognize when the wrong image is displayed, but an attacker would not."
I'd expect this one image to be shown only when the master password is entered. i.e. it is an unique indicator. Fake images will need to be generated for all other passwords, and if there are duplicates then they can be eliminated as false-positives. Strategies like this will always be the weak point. It's commendable that they're attempting to fix the problem, lets just hope the additional complexity doesn't weaken the system overall.