I think it's a less bad alternative for people using the same password on everything. As many comments here already pointed out, it's not perfect. I don't feel like I know enough about it to know just how good it will be for the average person.
See also: that SQRL thing Steve Gibson has been working on for years?
Hopefully the web authentication standard won't suffer the same fate. It _is_ backed by several major companies (Google, Microsoft, Mozilla) so at least they'll be able to kickstart adoption by implementing the API on their own sites.
> Authentication and identification is combined
This is plain false. There's nothing in the spec that says you can't give a site your email address, and there _is_ a built-in way to revoke credentials in the spec.
> Single point of failure
This is dumb. Password managers have exactly the same flaw and nobody seems to have a problem with that.
> Social Engineering attacks
This true, but only in exactly the same way that password managers are vulnerable. (If the user is for whatever reason not using a browser plugin to authenticate, _and_ you can trick them into entering their info on the wrong site.)
1. Easier to set up new accounts. No fiddling with onerous password requirements or text boxes; just one click and you're done.
2. More secure and/or convenient than password managers when signing in on a public computer (scan QR code with phone vs. load entire password DB onto computer or manually retype password via keyboard)
3. Better recovery against the worst-case scenario of database leak (SQRL client can transparently and automatically rotate your credentials, vs having to do it all manually with a password manager, and there's no list of sites you have an account on that the attacker can use against you)
4. Possible for sites to enforce the use of SQRL, whereas password managers need a password field to function, thereby encouraging users to continue insecure practices like weak passwords and password reuse.
5. Public keys instead of bearer tokens means you don't have to worry about rotating credentials if a site leaks its database.
Like I said, it's pretty much just a password manager, but better.
At this point though it seems pretty likely that the Web Authentication Standard has successfully overcome that barrier. It's already partially implemented in multiple browsers (Chrome, Firefox) and backed by a W3C Candidate Recommendation. In the face of that, I don't believe SQRL can compete.
It's the successor of the work Google did with Yubico that eventually led to Fido U2F. Google did some user research about the rollout amongst their 50k employees at the time: [Security Keys: Practical Cryptographic Second
Factors for the Modern Web](http://fc16.ifca.ai/preproceedings/25_Lang.pdf).