Should organizations require and validate a government issued form of identification before granting network access? It’s easy enough to do. Costs a bit for the comparison books and an hour of training, but it will catch the majority of bad identification. Of course, what to do with it after you’ve caught it…
But how much bad identification, as opposed to high quality forgeries, is seen in any business? No data.
More importantly, as has been pointed out by some bright people in the industry, the secretary is not a security guard, and the security guard is not a security professional. Some small percentage of false identification is going to result in violence. Better the guard than the HR representative.
Regardless of whom, outside of the government, nobody without a Treasury department background is going to catch the good forgeries. So we can at best reduce a risk, but not eliminate it.
Given the possibility of violent confrontations, would a business be better served by a validation after the fact? It depends on the business, but in general, giving network access to the bad guys for any amount of time is a bad idea.
How do you test effectiveness when the mere act of copying a form of identification can be a Federal crime?
It makes perfect sense, wanting to identify persons with access to the network, but the process does not make perfect sense. In the meantime, businesses will go on accepting fake identification and getting taken by fake ID holders.