If the reader had a decently secure channel to the central auth piece, then it shouldn't (in theory) matter how simple or complex the id would be. (?)