That’s not quite right. WebAuthn completely prevent cases where the user fails to authenticate the server, which is an extremely common attack. It does not protect against a compromise of the web PKI system, which is a rare and catastrophic scenario which no other alternative protects against but they do mitigate the damage somewhat in that using a public key rather than a shared secret prevents reuse and implementations are required to confirm user intention so I can’t spam logins to other sites or faster than you’re willing to tap a button.
What does any of this have to do with my contention that public key signatures are not really needed in the case where every connection has its own key pair? I think we are talking about two different things here.
