If you go into to website over https your browser validate certificate for that domain. Great. Now what if I told you it is possible to do this but in reverse? Web server can ask a certificate from your web browser to validate your identity. So both ends know that the other is legitimate. Now the question is where to store that certificate? As a file on disk? Seems like bad idea - too easy to steal. Instead of that we can store them in dedicated hardware like yubikeys or tpm module. And the great thing is they are resistent to phishing because certificates use mathematics and can not be fooled by wrong url in browser address bar. So generally passkeys are just authentication using certificates.(Although I recommend reading more about FIDO2 keys and webauthn instead of passkeys, because passkeys are one specific variant of FIDO2 webauthn + marketing around it.)
ifh-hn|4 months ago
[deleted]