Passkeys are basically just asymmetric encryption. When you create a passkey, you upload the public key to the website, and the private key stays on your device.
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".
Client certificates have existed for basically as long as encryption. Passkeys are more than that, and that is a crucial point. They allow to verify the identity of the signing device, and allow access only if the device is "legitimate" from the point of view of the remote service. That is a very big encroachment on the user's privacy and freedoms and a new very big step in the process of tying everything even more tightly to accounts and devices controlled by the big service providers and making it more difficult to get out or to enter the market for new actors.
Think Trusted Computing. Soon it will be impossible to log in to some media streaming platform, for example, if you don't have a passkey sanctioned by an OS with a TPM. Then everything will be locked in and the only flaw will be our eyes and our ears.
Absolutely, passkeys couple a trusted device (typically a phone with HSM) with asymmetric encryption.
HSM ensures that the device is actually the device it claims to be, as the key cannot leave the device, and by coupling it with biometrics, which is authentication, you prove to the device you are who you claim to be.
So by the device authenticating you, the device by extension can authenticate you against the remote site using a cryptographic challenge.
There is no vendor lock in however. You can use a password manager like 1Password to store passkeys, or even Apples keychain supports synchronizing the passkey across devices (including windows). KeepassX also supports passkeys, so it’s not limited to official vendors like TPM.
As for HSM, you can also use something like a Yubikey.
I was wondering why I couldn't just use a client cert (or better yet my ssh keys) and figured it would be something like that. It turns out I was right to invest zero time or energy figuring it out.
If this weren't hackernews I'd call you a bad name for wasting my time like that. Until and unless I can just give you my ssh key I won't touch this with a ten foot pole.
Actually, all three factors are things you know: Your password is something you know. The private key on the security processor is something you know. And your scan of your fingerprint is something you know.
Well, biometrics usually act as a proxy for PIN codes, so the PIN code is something you know, the private key is something you have, and biometrics is authentication.
You are a human, and humans have permanent fingerprints. The difference between "something you have" and "something you are" is that you can regenerate the former, but not the latter.
I believe they were referring to the fact that you can't hit a button and generate new fingerprints for yourself. The ones you have are with you forever, generally.
That greatly reduces your risk if/when credentials gets leaked from the site in question. Public keys are meant to be public, and worthless by themselves.
As for your private key, that usually ends up in a secure enclave or similar HSM, which in turn is protected by a pin code and face or fingerprints.
The private key then becomes "something you know", and your biometrics are "something you have".