No problem, every issue raised is important to others also.

The front-end will be the very same web application. The public key is stored in your account record and the web app uses the password stored in browser secure memory storage to sign transactions. So, yes, you got it in one :)

Oh, and 'signing in' just means to show it as though it's yours, which includes things like who you have followed, who you have blocked, your user settings and exposing your details in the wallet. It does not cause a transaction to occur. The information shown when you are signed in is public information, it just configures the key to be the one used when you attempt to post transactions.

Oh, and yes, it does verify. I'm not sure how, but there is a function that generates public keys from private in steem-js so I assume it just runs that function and compares to the one on the chain.