@alper : forget the marketing blah about public key encryption; it's advantages are extremely exaggerated.
Just think of each passkey as an extremely strong and unique password tied to the domain name of a website.
The strength of passkeys (the WebAuthn protocol actually) lies in the fact that software (not the user):
1) Insists that the connection uses https;
2) Uses the passkey only if the domain name of the website (as shown in the browser's address bar) is the same (*) as the one used when the passkey was created.
(*) It's a bit more complicated than that: subdomains may be permitted under certain conditions.
Unintentionally logging into a fake website with a look-a-like domain name (phishing) is impossible (an "Adversary in the Middle" attack is possible only if a fake website possesses a certificate deemed valid by your browser, like I wrote about in https://infosec.exchange/@ErikvanStraten/112914050216821746).
However, passkeys suck in practice (Dan Goodin is right), see https://infosec.exchange/@ErikvanStraten/113730072998238596.
@schwa
@dangoodin