I suppose if people are so concerned about disabling password resets, then it isn't really unreasonable to expect them to send public keys to you instead. You do need a solid way of identifying them somehow, and this is inherently more secure than relying on human verification of potentially faked image data.

It also removes a lot of the risk involved in the verification process… either a key matches or it doesn't, but visually verifying images is a much more fuzzy situation.