No, it's a new standard where the site securely negotiates the login with the browser. What happens after that is the browser's job, all the site cares about is that it sees a correct credential.

Eg your password manager could implement this so all you'd have to do is click "log in" and you'd be in, without usernames or passwords to remember or steal.

So, how do you keep someone else from sitting down at your computer and clicking Log In? Am I right in guessing that fundamentally you're back to passwords, in the sense that when you are away you lock your computer screen and have to enter a password to unlock it (or some other implementation that still relies on passwords, like if your browser requires a master password to use its password manager, etc.)

You use some method of authentication, of course. How do you keep someone who has your unlocked password manager from using it? You just make sure nobody is ever in that situation.

The big win is that, with WebAuthn, you don't need to also hide your authentication from site operators, your OS, key loggers, phishers, etc etc.

Thanks. Like you said, this is safer, even if a password remains somewhere in the chain, like a master password for your computer. An advantage is that websites are not storing passwords (hashed or otherwise, because it's hard to do well).

I use a Yubikey, so there's no password for me (just a PIN that wipes the key if it's entered incorrectly a few times). You can also use a fingerprint scanner, face ID, etc.