In this paper we present a smartphone based architecture to secure user access to web services which require password entry. Our architecture takes advantage of biometric sensors that are present in today's smartphones when authenticating a smartphone user in order to ensure that her identity cannot be masqueraded by anyone else. The user can then access web services using a complex password stored in her smartphone but without having to manually enter the complex password. As a result, the architecture overcomes many security limitations of today's password based authentication approaches, and in particular, resolves the current dilemma associated with the use of complex passwords. In addition, the proposed architecture not only works seamlessly with today's web services since it requires no changes to the existing authentication mechanisms used by the servers, but also can be extended to directly use a person's biometrics as credentials instead of passwords when accessing web services and cyber-physical devices in the future.