If you build or maintain internal tools for a small team, you've probably watched passwords rot from the inside: reused across a dozen SaaS apps, pasted into Slack, parked in a spreadsheet named logins_final_v2.xlsx. Passkeys fix the root cause. Here's the developer-level version of why, and how the flow actually works.

Passwords vs. passkeys, architecturally

A password is a shared secret — you know it, the server knows it, and anything on the wire between you can grab it. A passkey is a FIDO2 credential built on public-key cryptography. Your device holds the private key; the server only ever sees the public key.

That single difference kills whole attack classes:

Phishing — there's nothing to type, and the credential is bound to the origin.