It is an asymmetrical key that can be associated with a web2.0 account to log in without passwords by signing a challenge.

The often not discussed aspect of it, is that it is meant to be device bound, so services may only accept keys that are themselves signed by a trusted party, to prove that it was generated in a secure environment where the key can't be extracted by scripts or extensions or what not.

It is not bad honestly, just doesn't work for sovereign identity as nicely.