[quarkral]

How would you implement 2FA without making your personal phone number publicly available for anyone to attempt to authenticate with? It's not the same as your bank calling you when you already have an account with them - we're talking about a new bank, who you have no relationship with, trying to call you to verify your identity.

A true public key system opens up each individual user to malicious spam. Given the current prevalence of phone, mail, and email spammers, such a system would create more problems than solve.

SSNs could technically be passwords. The problem then is that data servers need to not store SSNs in plaintext, but rather store hashes of them, just like passwords should not be stored in plaintext.