But this kind of comes back to my point - why do we have online verification systems that rely on things like knowing my address in the last three years - Equifax breach should have meant we gave up on using a credit risk scoring system as an identity provider.
But we don't.
We need to rethink what is identity (start with web of trust) and who owns data that links to that identity.
I mean this could be the start of a positive identity provider - grab that downloaded database and provide a system that says this is a picture of Paul Brian's face, and his passport, and on the 20th August last year a official of the US government compared them
in real life and verified they matched (there may even be a hash of the digital images made at the time but I should not get my hopes up)
Now make that globally available. Is that useful and valuable - I think so. I would prefer if I had been able to upload my public key to that at the same time (I can always visit NYC again) but you get the idea. This leads to question like why does my passport not generate a key pair for me to use? Can I use facial recognition to match my gravatar / facebook / twitter ? Why is knowing a non-secret (mother's maiden name, passport or drivers license number, three digits on back of credit card) seen as security?
Why is it we use what we have to hand and not what is needed? Why don't american banks use chip and pin?
It's not bad that my online identity is clear and visible - as long as the legal and practical frameworks exist to support it - which they basically don't right now but we could make it happen