This is part of a bigger play by Facebook.
Most mail accounts in use right now are password SMTP over TLS/SSL. Yet most services on the net assume that people are in full control of their primary mailboxes.
By going multi-factor on their login system, Facebook wants to establish their messaging system as a more secure, more trusted endpoint (especially for the average user with zero understanding of password hygiene) than good old email. Once they do so, and get their users trained up softly-softly on multi-factor authentication, they then quietly pitch to organizations and service providers (banks, government services, utilities, ...) to request Facebook, rather than email, as the preferred primary mechanism for staying in touch with customers.
After all, if Facebook accounts are harder to spoof than an email address -- and with the continual life history & social graph data they contain, they surely are -- why wouldn't an organization want to stay in touch with its customers that way? From the point of view of a big org concerned with identity theft and fraud prevention, it's surely a tempting way to arrange things. Facebook owns your digital identity and theirs, phishing becomes much more difficult to execute as senders are authenticated & easily verified.