While it looks great I have to wonder the choice to only support "Log in with Facebook". I mean if it's merely for logging in, then surely you could allow the use of other openID/OAuth providers like f.x. google?
"Spambots can’t check the checkbox because it’s only displayed to users on the client-side."
(And I know regular captchas suck. There are some better ones, like "select image with a cat". But JS checkbox should be enough for now.)
"Only an incorrect username would throw you to the registration screen, not an incorrect password."
Of course. But most bots are simple and not adjusted to specific websites. And increasing spam protection only makes sense if current protection is not enough. (And I'm sure regular HTML checkbox wouldn't be enough, but JS one may be.)