Shared-secret numbers and physical cards are not enough. We need a cryptographic API that lets citizens sign requests to authenticate themselves, such that the signature they emit is only useful for one relying party at one time (not useful if stolen).
Fifty cryptographic APIs, on the other hand, would be a nightmare. We'd at least need the federal government to force states to implement one conforming to some open standard so that the integrations aren't intractable.
Fifty cryptographic APIs, on the other hand, would be a nightmare. We'd at least need the federal government to force states to implement one conforming to some open standard so that the integrations aren't intractable.