You don't need to change the core identifiers. You just need to stop treating (at an institutional and broader system level) mere knowledge of those identifiers alone as sufficient proof of a user's authenticity. For the most part, the 50-year-old hard-to-change code is already surrounded by other systems which can be adapted more easily anyway.
This is the real and hard problem to solve. As far as I know, there are identity-verification services using other, semi-publicly-available data, which can still be spoofed for a lot of people, and some that use just-in-time photography (of your face, driver's license, passport, etc.), but that relies on more on-device security (and thus less end-user ownership of their devices).
It ultimately falls to the government to provide a more robust solution.
