@nikitonsky yeah, your device signs something and the server never receives the private key. Also the password manager integrates directly into the browser so you just click "sign in w/ passkey" instead of it having to hack around filling in a form.

If a site does a bad job choosing their hash/salt then a leaked DB could be reversed to passwords (or they could be storing in plaintext), and the server receives the plain password during authentication, neither of those are possible with passkeys