There's apparently no good way of doing this. Denmark have a system for identifying yourself online. It has a 2FA component, either an app on your phone, where you have to swipe or something (I don't use it) or a physical code generator. It should be basically impossible to break, except it's not, because people will get calls from "their bank" asking the to do the 2FA stuff. Basically any measure put in to prevent this is being circumvented by people believing that the bank, who barely wants to deal with customers, would actually call them up Thursday evening.

I think the current solution is to have users scan a QR code, if they are on a different device than the one with their authenticator app. I haven't hear of anyone with the hardware token being scammed though, but most of the people who have the hardware version, do so because we don't even trust an app on our phone.

But yes, there are PLENTY of cases of identity theft even in countries with electronic identification solutions.

One thing the US could do, but won't, is have an account registered with the federal and state governments. Any money coming from the government should ONLY go to that account and it changing it should require a thorough identity validation.