When you visit a website you’d like to login to, your browser generates a public/private key pair and gives the public key to the site.
When you want to login:
The browser uses the website domain name to generate a challenge and sends it to the website.
The website verifies the challenge by sending back a randomly generated long text, encrypted with the public key.
Browser confirms by sending back the decrypted text as proof.
Now both website and browser are sure the other is legit, there are no passwords involved, the login process is standardized and can be upgraded with new protocols and cyphers whenever needed, you can’t be phished, you can’t be tricked by a fake domain that looks in Unicode like the correct one, and if anybody breaks in and steals the public key they can’t do anything with it.
Passkeys are client-driven.
When you visit a website you’d like to login to, your browser generates a public/private key pair and gives the public key to the site.
When you want to login:
Now both website and browser are sure the other is legit, there are no passwords involved, the login process is standardized and can be upgraded with new protocols and cyphers whenever needed, you can’t be phished, you can’t be tricked by a fake domain that looks in Unicode like the correct one, and if anybody breaks in and steals the public key they can’t do anything with it.