The three things you've listed are how user security traditionally has been done -- but even something like using a password to grant access was not inevitable. I think we'd need to question a lot of assumptions that drive how the industry works to fix how pervasively inaccessible most platforms are, and we'd need a lot of legal reform around which information gets collected.