Here’s a typical password for an account of mine:
Now try to type that into an app on your phone. Now try to type that every time the app updates or you come out of airplane mode and the app wants you to login again. It becomes so tiresome, I just stopped using the app. In fact, I removed my entire account and found another service which is close enough.
I talked to a number of other people and they all have the same complaint. No one stopped using the service, they just set a very weak password which is easy to type into a phone.
This is a horrible state of affairs.
For some apps, I’ve defaulted to using weak passwords and two-factor authentication with a one-time pad. However, as I’ve discovered, one can bypass most of these two-factor auth schemes by claiming you forgot your password and having a link emailed to you.
There is ongoing research into better ways to identify you are who you are when trying to login to a service. Some apps/services simply send you a unique code to your email on every login attempt. Some verify your phone number matches the number in your account. However, most don’t do any of these.
I’d like to think that the phone always knows where I am, so geoip locality could help, verify fingerprint identification (like Apple requires when you download/buy in the App Store), or something else based on where I am, who I am, and past history confirming all of this.
In the end, I use most services via web interface and trust my browser’s ability to save credentials is secure and safe enough to save my typical username/password combination.