Right now, even if they wanted to, the executive can't force a national ID.
That's still too specific. "national ID with a cryptographic token" means that OpenID / Paypal-based single-sign on logins are illegal.
Yeah, writing laws is hard as heck, and Congress is NOT the experts in the field of cryptography / login security. So Congress will get it wrong if they even tried to write the law in that manner. Executive Branch CAN hire experts (ie: 18f, NIST, etc. etc.) to define best practices.
As such, the proper legislative solution would be to mandate "industry best practices of identity protection, as defined by (Insert Agency Here, maybe NIST)".
Why? Why doesn't it just mean that there's a canonical government system that doesn't touch PayPal or OpenID that can be used for stuff that would currently be tied to your social security number?
You have a point on OpenID, but my overall point is that OpenID would probably be sufficient for most financial transactions on today's internet. OpenID is basically equivalent to Paypal's security model.
Neither Paypal nor OpenID require 2-factor or security tokens. I think they're an optional feature. But in any case, the Paypal / OpenID model of identification (Paypal controlled website verifies password, and sends a token to the 3rd party website) would be sufficient for today's security.
----------------
Of course, none of this even touches upon Equifax. Equifax uses SSNs to identify people, and often without their knowledge or consent. Equifax is a service to the financial industry, to help keep tabs on individual's history.
So the Paypal model will NOT work with Equifax's use case, because the individuals don't always know when they are being tracked. Maybe it'd have to be something to OAuth's model.
In any case, I'm not an expert either. I just appreciate the difficulty of this problem.
