Got it, this is quite interesting, I've just read through some of the explanations on SQRL a bit, we're actually following a slightly different protocol, the FIDO protocol https://fidoalliance.org/how-fido-works/ instead of SQRL.
I can see that they're pretty similar, but please correct me if I'm wrong or not answering your question.
I guess the idea is that we make an SDK so developers don't need to do much to implement FIDO. They can just call one function from our SDK to perform authentication. (They don't need to implement the cryptographic keys generation, storage, signature verification, they don't even have to store the public keys, all handled in Cotter's server).
One advantage that drew my interest in SQRL (besides being free and open) is that it avoids having any secrets being kept by any service, making any potential leaks a non-issue.
Yes, this is also the case with FIDO. The private key is stored in the device's secure storage, and only the public key is shared to our server. So the private key is never shared anywhere and not kept by any service.
(This is also very interesting to me when I read about FIDO)
https://www.grc.com/sqrl/sqrl.htm