WebAuthn

Passkeys are often described first as “log in after a fingerprint scan.” The more important question is why they can suppress several of the most stubborn password risks at once. “It uses public-key cryptography” is not enough, because many systems use public keys and still fail against phishing, replay, and credential copying.

Passkeys sit on top of a protocol stack that works together: WebAuthn organizes registration and login, CTAP carries messages between the browser or operating system and the authenticator, and the authenticator signs the domain, challenge, and user-verification state together. What changes is not “password becomes private key.” What changes is how login is bound to the site, the request, and the user’s approval.