Fundamental lack of understanding (as usual)
Or maybe it's deliberate.
The whole report seems to focus on proving identity, not on the simpler question of whether the person (or robot) at the other end of the line has permission to use an account.
There is a world of difference between proving to every website I visit that I am the real Zaphod beeblebroz, NI number XA 123456C, DOB 01/02/1876 - an identity that will then be saved and can be used for tracking - and the simpler password-based option which shows that the person who knows the password for a/c @Pen-y-Gors is allowed to use that account. I could give the credentials to a dozen friends. Why not?
Identity is something totally different, and far more dangerous. And of course it will be hackable by criminals, no matter what our governments dream about in their security fantasies.
I don't have to prove my identity when I buy a packet of crisps or a book in a local shop. Why should I have to online?
I'm not too fussed if someone hacks my account at aintkittenscute.com or elreg (but it would be a shame to lose that silver badge), but it's rather more important than no-one knows who is really visiting aintkittenscute.xxx. Ditto my bank.