Is biometric passkey authentication a form of ZK proof of identity?

Help me understand: I make a passkey on my phone, and now I can use that to log in to XYZ Corp’s site. 

Now I lose my phone, and @0xshushant.eth  finds it.

Unless I have faceID/touchID/passcode set up on my phone, how is this different than using app/device specific passwords?

Great question! Let's break this down:

When you create a passkey on your phone, it generates a cryptographic key pair - a private key stored locally and a public key stored on XYZ Corp's server.

Comparison to app/device-specific passwords:

While there are similarities in the scenario you described, passkeys still offer some advantages:

a) Phishing resistance: Even if someone accesses your phone, they can't use the passkey on a fake website. The cryptographic verification ensures the passkey only works with the legitimate site.

b) Server-side security: Unlike passwords (even device-specific ones), the server only stores the public key so an attacker cannot impersonate you if their database is breached

c) Ease of revocation: If you lose your phone, you can usually revoke access for that device more easily than changing multiple app-specific passwords.