- Password is a single key, while passkey is a key-pair (private key & public key).
- Password can be weak, while passkey is always strong.
Password can be strong, if autogenerated.
- When authenticating, password can be send to the server (depending on the authentication protocol; SCRAM or PAKE based protocols never send password to the server). With passkey, private key is not send to the server for authentication purposes.
- Password manager can sync/backup your password and your passkey's "private" key.
- For a single service, same password is used from all devices. Passkey can be different for each device, but I'm not sure how this works (if it works) with sync/backup.
- Quantum-Safety: Key-derivation functions used with passwords are quantum-safe. Most (all?) asymmetric key algorithms, currently in commercial use (passkeys included), are not quantum-safe.
I'm not an expert on the topic. That's just a summary of my current understanding of passkeys, if it helps anyone. Note that mistakes are possible.