Warning: ID Rant
<rant>
When, oh when will institutions, both large and small, come to the understanding that having an identification requirement does, in no way, prevent/deter/alter the fundamental security of a system.
We're talking mere identification here, not authentication.
Sooo many systems conflate the two.
The fundamental use of identification in systems is to establish a point in the space/time/money transaction stream for later post-event auditing and analysis. Identification itself, does, in no way establish/enable security. Having the right mix of surveilance (i.e logging), auditing, and throttling/feedback for transaction governance does.
I suspect this mis-guidance is somehow deeply rooted in our hunter/gatherer-100-person-village brain's inner software. Unfortunately, the safety hueristics (not trusting strangers/unknowns) which scale reasonably well to village-sized populations of hundreds utterly fall apart in our global-village of billions.
- Identification is not Authentication
- Authentication does not SCALE
- Surveilance does scale
- Auditing does scale
People should get their security system engineering inspirations from the stock market, not a bank vault, prison cell, passport or driver's license. An i.d. is only as good as the authentication system (i.e. network) it is tied to.
</rant>
*Sigh*