>If you misplace your USB device or 'pass key ring' anyone who picks it up may have access to every online account you own.
No, you'd still need a password AND the device. It wouldn't be just the device. This is why companies issue their employees RSA tokens. You still need a username and a password (something you KNOW), and then you use the random number on the token (something you HAVE). If someone picked up your physical form of security, your token for instance, they would have no idea what account it belongs to, your username, your password, or your PIN. It would be useless to them.
Companies already do this and it's extremely safe and effective. If I lost my RSA token for work, no one would have any clue what was for, how to connect to my network, where I work, and even if they figured that out they'd still need my username/password/pin to go with it.
It's not a bad idea in my opinion. It's actually in better accordance with the CISSP security standards. There are three forms of security auth. "Something you KNOW", like a username and password. "Something you HAVE", like a physical RSA token. And "Something you ARE", like a biometric fingerprint reader or voice authorization. Using only one form of that is weak, but combining two forms of security makes authorization that much harder to fake or spoof.
Combining two is what Google is thinking about doing. That's a good thing and much more secure. The article didn't really explain that part, and does kind of imply passwords wouldn't be needed anymore, but I don't think that's right and the article kind of left that out.