Conceptually it's very simple: when you signup for a service, you generate a private and public keypair. The private key is stored in your passkey manager [...], and the public key is stored in the database of the service. Then, during a login, the server sends an randomly-generated challenge, your device sign it wit the private key, and the server verify that the signature of the challenge matches the public key.

An alternative to passwords.