Of the four obstacles addressed in the paper (Latency, Lack of privacy, Convenience, and Reliance on a 3rd party), I think Convenience is the main killer of this technology.
Chase Bank implements something similar to SAW. Whenever I log into Chase, the server checks my current IP against my previous login IP. If the IP addresses differ, they e-mail me a token which I need to enter along with my password to enter the site. I say from experience that this is annoying as hell.
While authenticating over an IM protocol still has its obstacles (Privacy and Reliance), the Latency and Convenience issues become more tolerable.
One potential problem I see with this system (which is not as applicable today as it was a few years ago) is ability to support users without an e-mail address or IM identity. Can site owners safely assume that everyone has an e-mail address in this day and age? How about IM?
interesting but, what if an attacker knows your email password, then he can control your whole life right? because there is just one password (your email's) for which all your access to websites depend on.
If an attacker knows your email password than NOTHING can save your privacy! Even if you rely on all kinds of security techniques on your site (SSL, cookies, sessions etc), if someone has your email password, they can retrieve your website password through numerous techniques.
This paper is not a joke. Far from it. It's just that it relies on a custom server.
I think doing this sort of thing over IM makes much more sense than email.