authentication and identifying users


The Canon (TM) Says:
What you know: passwords, pin number
What you have: token, Yubikey, credit/debit card
What you are: biometrics

Can you guess the two factors that don't necessarily deanonymize the user?

It contradicts NIST anyways, so why do you need my cell phone number for 2FA?