You can think of a private key like a really long, complicated password. Like, thousands of characters. But you don't have to type it in every time, you just let your phone store it for you and fill it in for you in apps (and now, websites).
To log into a website, your iPhone checks to see if your face is your face, and if it is then unlocks your private key to send it to the website. If it can't identify your face, then it won't enter your password.
Sending your actual facial data to a website would be bad because you can't change your face, so if you give your face to one site, then that site could use it to log in as you to other sites. But by just using it to unlock a private key, you (or apple on your behalf) can still change or de-authorize your private key, and use a unique one for each sites. Basically all the good practices you're supposed to follow when you use a password, and they aren't giving any site any special data that they could use anywhere other than their own site.
Yes. In WebAuthn every single time you enroll on some web site with this system, a completely random new private key will be generated and the site will be given the corresponding public key and a fresh magic "cookie" identifier that serves no other purpose.
Your Apple device remembers the association between this particular web site, any user ID the site said is relevant (e.g. maybe the username mrwnmonm and friendly name "Shiny Steve") the cookie, and the private key.
On subsequent visits either of two things can happen:
1. You tap some sort of easy-one-touch login button. The Apple device says "Hey, sign in here as mrwnmonm / Shiny Steve?" and you use your touch ID to prove you are still you, this unlocks the private key, Safari uses the private key to create a proof that you still know that key, attaches the proof, and the cookie. The site recognises you must be Shiny Steve and you're in.
2. You sign in "normally" (e.g. with a username and password) but then as a Second Factor the site shows the Apple Device the cookie it remembers, your device recognises this cookie and prompts you for a touch to prove you are still Shiny Steve, whereupon it uses the private key to sign a proof and send it back to the site.
Because the keys are different on every site even if two web sites deliberately work together to try to figure out if a user on one site is the same person as a user on another site, WebAuthn doesn't help them do that at all.
Also unlike passwords or most other schemes, there's no risk from mass data loss because the web site is storing public information. If a "dump" of every Facebook WebAuthn public key was made, that's essentially useless to everybody except Facebook anyway, whereas obviously a password dump or a dump of all the TOTP secrets would be a huge security problem.
Yes, it’s a unique for each site which makes webauthn extremely phishing resistant. Even on look alike domains the origin doesn’t match and your phone has nothing to send.
To log into a website, your iPhone checks to see if your face is your face, and if it is then unlocks your private key to send it to the website. If it can't identify your face, then it won't enter your password.
Sending your actual facial data to a website would be bad because you can't change your face, so if you give your face to one site, then that site could use it to log in as you to other sites. But by just using it to unlock a private key, you (or apple on your behalf) can still change or de-authorize your private key, and use a unique one for each sites. Basically all the good practices you're supposed to follow when you use a password, and they aren't giving any site any special data that they could use anywhere other than their own site.