Those are very bland and generic criticisms that can equally be leveled at many other authentication schemes.
Does this sqrl improve on the existing security offered by alternatives? Likely not. It just offers convenience and keeps many of the existing downsides.
Honestly 2/3 of those criticisms can be leveled at ANY single-sign-on scheme (Facebook, Google, Microsoft, etc). And the password reset issue would be trivial to engineer around.
So using it to explain why sqrl is a bad idea is a little confusing, are Google accounts also a bad idea?
The downside is that smartphones are pretty terrible in terms of security. Lose your smartphone and you give away the keys to everything. Given how easily phones are stolen, that's a pretty bad single point of failure. With my laptop, I can use a password manager together with full-disk encryption with a decent password. That beats this suggestion hands-down.
A smartphone isn't any less secure than a laptop... I could say "lost your laptop and you give away the keys to everything" just as you said the same for smartphone... It's up to the user to decide what security they put on their devices. On iPhone at least, everything is really well encrypted out of the box. Most people don't put passwords on their laptops either.
Most people don't put passwords on their laptops either.
I don't know about most. Certainly many people do, and it's fairly convenient to have one.
On the other hand, the input capabilities of smartphones are so limited that I find it hard to imagine finding anybody - even otherwise computer-savvy people - whose smartphone data is encrypted using a reasonably secure keyphrase.
Smartphones are arguable exposed to theft risk in more scenarios than laptops are, and the security on a smartphone is generally weaker than on a laptop (at least one with whole-disk encryption).
At the end of the day, as you said, phones are easier lost and stolen, but there is barely a difference now in the functionality of security between a phone, laptop, and desktop; they're all the same. Now, for convenience, many users don't bother having a password on their phone. That's not functionality though, that's just how a user has decided to protect their phone's content...
Thanks for sharing, looks intersting.
It somewhat reminds me of Bitauth[0], they share the concept of the user signing his stuff. The difference being that there's no need of third party (the bitcoin like network of public keys).
Thanks for pointing it out, it looks great... Any known downsides to this approach? (well, apart from needing a mobile platform which now serves as your access repository)
You don't actually need a mobile at all. You could have this run as a browser plugin, but the point of having SQRL on a mobile is that it's seperate from what you're trying to log in with, if that makes sense..
[0] https://www.grc.com/sqrl/sqrl.htm