Enforcing additional authentication to password-based authentication, in addition to attempting to increase the security of the password itself, helps to improve the security of the password authentication scheme. For a well-known problem of using strong passwords that differ from site to site, we propose a scheme for password generation and management with an inherent supplementary authentication. Like the so-called password manager, the scheme retrieves and presents a strong site-specific password whenever requested without requiring the user to remember multiple passwords. Unlike the existing methods, however, the scheme permits the password retrieval process to proceed only through the authenticated user s ownership verified smartphone. Hence, even for sites not enforcing or supporting two-factor authentication, the logon process can benefit from the scheme’s assurance of enhanced security with its two-factor equivalent authentication. The scheme can also prevent an attacker from impersonating a user or stealing secrets even when the stored information of the server for password retrieval service or the user s smartphone is leaked.