Persistence of addressing

A few days ago I mentioned that “It’s going to be interesting to hunt down all of the places which have my Sun address”. Yesterday I came across one of them: PayPal. And changing it was quite a trip.
It’s easy to add a new email address to PayPal, so I did that. But then I wanted to make this address the primary one, and delete my sun.com address. To accomplish this, PayPal wanted to send a confirming email to the current primary address – but that address had been deactivated on the day of my RIF. The workaround was interesting. First, I had to log in. [“Something you know.”] Then PayPal showed me the last four digits of my credit card, and asked for the full number. [“Something you have, but could be stolen.”] Next, PayPal indicated that it had my phone number on file, and asked if it could call me. When I clicked Yes, a four digit code was displayed, my phone rang [“Something you have that can’t be stolen.”], and I was instructed to enter the code using my phone [“Something ephemeral that you know.”] . This satisfied PayPal that I was who I claimed to be, and the change was effected.
How does this stack up as an identity solution? It certainly exploits existing technology to the full….