It is public key cryptography. You give websites your public key, and keep your private key hidden. When you sign in to a website, they send you a nonce. You then digitally sign the nonce with your private key. They verify that the signature was signed with your private key, allowing you to log in.

There is no private info (aka a password) going out in public so you don't have to trust anyone to keep your password secret.

It greatly reduces the attack surface of logging in, but the attack surface is moved to the weakest part of the system, aka the user.

They're an authentication method that uses public/private keys instead of passwords. In websites the standard name is called WebAuthn.

This is similar to SSH or git operates when you disable passwords and use keys in ~/.ssh, for example.

You can store the private keys in YubiKeys or in password managers.

Another way for Google to collect your credentials.

And Microsoft, as per the case here. Or Apple.

Moreso another way to promote vendor lockin and planned obsolence.