In short: it's bog standard public key cryptography. My browser has a keypair and my email provider has a keypair. My public key and email address are bound together and signed by my email provider's private key. When I want to log into a site, I pass along that certificate. I also pass along a document containing where I want to log in and and the current time, signed by my browser's private key.
The latter document ties a given login request to a specific keypair.
The former document ties a given keypair to an email address.
Together, they identify me and prove that the person logging in really is the same person that was authenticated by the email provider.
In short: it's bog standard public key cryptography. My browser has a keypair and my email provider has a keypair. My public key and email address are bound together and signed by my email provider's private key. When I want to log into a site, I pass along that certificate. I also pass along a document containing where I want to log in and and the current time, signed by my browser's private key.
The latter document ties a given login request to a specific keypair. The former document ties a given keypair to an email address.
Together, they identify me and prove that the person logging in really is the same person that was authenticated by the email provider.