How would you do it online in a way that's not too burdensome?
There are a few schemes being considered.
It's pretty easy for a device to collect biometrics and match them locally, as long as a chain of trust can be established so relying parties can reasonably expect that (a) the collection and matching can't be easily subverted and (b) the right biometric is matched against. It's not in general possible to get a very high level of assurance of (a) on consumer devices, but it actually doesn't have to be that high, since human matching of strangers' faces to photos isn't actually all that good. Part (b) is probably the trickier part, but there are various potential solutions. The best is requiring people to go into a physical government office and get their biometric recorded there (the same way you go to the DMV office and get your photo taken). This gets a bit trickier because not all devices capture biometrics in the same way, but that's a technical problem amenable to technical solutions. For example, the DMV may capture an optical image of your fingerprint once, and then even if you go through several phones with different fingerprint sensor types, the output of those sensors probably can be matched against the optical image with appropriate sensor-specific preprocessing. For face matching, if the DMV captures a 3D map of your face in both IR and visible light rather than a flat photo, then that can probably be matched against all device-captured livescans.
Another option that is less privacy-preserving and really only appropriate for face matching (or other optically-collected biometrics, such as iris) is to do face matching on the server side. The ID credential provides a flat image that is signed by the issuer, and the user uses their device to capture a fresh livescan -- but not of a flat image since that's too easy to spoof. Instead the device would be used to capture a video stream in which the user responds to challenge instructions to verify liveness and freshness.
There are some other ideas floating around.
Obviously AI is going to throw a wrench into a lot of these. But as I pointed out before, one thing we have going for us is that they only have to be a little better than current solutions, and in the context of the current discussion they'd only have to be good enough to defeat the typical 13 year-old (if some exceptional 13 year-olds can work around it, that's probably okay, as long as they can't scale the solution to make it available to their hundred closest friends).