When you log into a site with a password, you're needing to transmit your actual password over the wire. Sure, you'll hopefully have encryption when sending that credential over, but in the end you'll be exchanging your actual password with some remote service. That remote service might be misconfigured, it might be misdesigned, it might be under attacker control. Now they have your whole credential.
A passkey doesn't transmit your actual, full, repeatable credential over the wire. It's a challenge-response protocol, so only that one authenticated session would be intercepted. Kill all questionable sessions and you're good, they're not reusing it.
A passkey doesn't transmit your actual, full, repeatable credential over the wire. It's a challenge-response protocol, so only that one authenticated session would be intercepted. Kill all questionable sessions and you're good, they're not reusing it.