A password you already know – it is a special word that you use to authenticate yourself. The are notoriously insecure because, by definition, all you need to access the account is the secret word – anyone who learns it can access your account.

A passkey is when a specific device is authorized to your account, and only that authorized device can grant access. So when you try to log in, the website pings your device and asks “Is this login genuine” – at which point you have to confirm on the device “Yes, it is me”. There is cryptography involved to ensure that the device replying is _actually_ the authorized device, but for our purposes we can simply say that **only** the authorized device can approve the request.

It is safer because you can’t just learn a simple word to gain access – you have to have access to the physical device to authorize. Since those devices _themselves_ are locked with passwords (or biometrics) you’ve created a system that has two layers of security – something you have (the device) and something you know (password) or something you are (biometrics). Any additional layer of security you add will inherently make the process more secure.