Here's the thing; any form of identification, whether it be a letter of passage from the King, a passport, a photo ID, a biometric signature, a PIN - they all require a singular ubiquitous element in order to work.


Before Photo IDs, we still had drivers licenses, but they were paper and contained a name, an address, and a physical description of the driver (male, Caucasian, 170cm, black hair, brown eyes, etc.) and these were taken as proof of identification. We switched to photo IDs because they were supposed to be harder to cheat, and they are. But, they're not impossible to cheat which is another problem.

Biometrics are similar - biometrics are really useful the second time you ever meet someone, and their sole strength is ensuring that a person isn't registered in a system multiple times. Yes, they're also a part of authentication, but even the best biometrics have Detection Error Tradeoff (DET) curves associated with them - occasionally, they get it wrong and let someone in they shouldn't or lock someone out they shouldn't.

The point being, that authentication of identity relies on one or more of three elements,

What you have ( ~~Photo ID~~ key or swipe card)
What you know (password)
What you are (biometrics)

in some combination that can be trusted to a point where the risk is acceptable.

This is in fact the key point - all authentication protocols are in effect risk mitigation systems, not risk avoidance systems. You will NEVER eliminate the risk of either false positives or false negatives in your authentication process unless you set up a system where the authentication process represents a practical prohibition on access to whatever system you have.

In other words, your cop pulling over someone for a broken taillight is really just doing a cursory check that the person in front of him isn't a wanted killer (which is highly unlikely) because no real damage has been done and he just wants to issue the infringement notice to the right person.

So - your shapeshifters may not have a photo ID at all - it kinds of defeats the purpose. What they may have is some form of DNA test or some other simple to use identifier that is much harder for a shapeshifter to circumvent.

In point of fact, if shapeshifters are a part of your society, normal biometrics like photo IDs, facial recognition, fingerprints, etc. are now all redundant for everyone. Why? Because you don't want your shapeshifter impersonating a normal person when the police pulls him over for a broken taillight and it turns out he's just killed the original owner of the car.

Ultimately I don't know what kind of identity authentication you would employ in a society with shapeshifters (and it's probably a really good question to ask here in its own right) but the simplest answer to your question about how to resolve the incompatibility between photo IDs and shapeshifters is not to use photo IDs.

The very existence of your shapeshifters has brought the trust value of photo IDs down to zero.

Assuming that your shapeshifters have a static DNA profile, what you'd probably find is that pretty quickly you'd see the advent of portable DNA sniffers being used for identification purposes by police, airports, etc. Most 'what you have' models of authentication would be abandoned pretty quickly and replaced with some other mechanism that can be trusted to the same level as photo IDs were pre-shapeshifters.