> Requiring ID is not entirely the right approach here I think
It is in the sense that it entices the industry to come up with a better approach.
Otherwise they'll just sit on their piles of gold saying that it can't be done, as they have been doing for far too long.
This approach is just fine for the industry: delegate the problem to the lowest, shadiest bidder. After all, privacy breaches aren't their problem. If governments want an ID system they should provide one.