A new login technique is becoming available in 2023: the passkey. The passkey promises to solve phishing and prevent password reuse. But lots of smart and security-oriented folks are confused about what exactly a passkey is. There’s a good reason for that. A passkey is in some sense one of two (or three) different things, depending on how it’s stored.
Passkeys use cryptographic keys held client side which are never transmitted, they user cryptographic challenge-response protocols and send a single use value back. You can’t intercept and reuse it unlike with passwords.