SQRL does something like a secure token. It allows a manager on a smartphone or computer.
The site you are trying to access presents a clickable QR code that contains a session id and some random gibberish. The SQRL manager will sign that message with a private key that you have, and it signifies that you are who you say you are.
This allows you to sign into a public machine using your smartphone, and once the session is terminated, anything that could have been captured doesn't allow an attacker to login later.
On your home machine you could have a manager that handles SQRL:// and it takes the smartphone out of the loop.