Why do you need it? Because you don't want to implement a login system? Very, very few websites are the sort of place where they'd want to authenticate with only a Bitcoin address. If for no other reason than they'd have no way to email you, and if you lost your wallet, you'd lose all your associated data.

 

In future there often won't be a simple paying address. For instance, if my coins are in a multi-sig relationship with a risk analysis service, there will be two keys for each input and an arbitrary number of inputs. So does that mean the risk analysis service gets to open my locker? Why?

What if I do a shared spend/CoinJoin type tx? Now anyone who took part in the shared tx with me can get into my hotel room too?

These are the kinds of problems that crop up when you mix together two different things: the act of paying, and the act of identifying yourself. You're assuming that replacing a password people can remember with a physical token (their phone) which can be stolen or lost, would be seen as an upgrade. Given a choice between two physical lockers, one of which lets me open it with a password and one of which insists on a cryptographic token, I'm going to go for the former because the chances of me losing my phone is much higher than me forgetting my password.

All the tools you need already exist in the form of client certificates, with the advantage that web servers and web browsers already support them. The biggest pain point with them is backup and cross-device sync, which of course wallets suffer from too!