it's the same as all auth systems... you have a secret that the protocol allows you to prove you have without giving it to the other side (for nostr that is signing an event, the signature validates on the public key, on normal login systems you send the password but they immediately hash it and compare to the hashed password of your account)

the nostr auth protocol is stronger than standard logins, a LOT stronger