Couple of thoughts

If you're talking two way verification through public-private keys, you'll need some form of client for your customers to interact with, you'll also need a fairly robust key management system and a way to validate and manage when a key has been stolen.

SMS is an interesting idea for large exchanges, however if I'm going to have to jump through hurdles for each trade I might decide to go somewhere else where it's easier.

Not sure what the point is of establish a wallet for each user, the wallet should be buffered and fire walled off and not even accessible from the web server.