The wikipedia deauth page is pretty good [https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack](https://en.wikipedia.org/wiki/Wi-Fi_deauthentication_attack)

But a short summary is, the wifi protocol has a message that can be sent to forces a wifi access point to disconnect a client. It’s fairly easy to spoof these messages. Once the client has been disconnected you can try to set up a duplicate wifi access point of your own and get clients to connect to that, and sniff their wifi traffic. Alternatively you can just observe them re-connecting and try to extract the wifi password out of that.

I don’t know of a good way to prevent it at the moment.