This article sparked some chatter here at 1Password: https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/. I've been anticipating this capability for a while and am excited it's here. I'd love to see the WebKit team take biometry one step further. At 1Password, "signing in" is not just authentication. We need to derive an encryption key to decrypt your secrets. In the native apps, we've been able to unlock using just Face ID or Touch ID because of the access to the device's keychain. But at this point, Face ID and Touch ID on the web are restricted to authentication only, WebAuthn specifically. We'd be very interested in seeing a biometry API that afforded decryption capabilities. A basic implementation might be something like a domain-scoped keychain where a secret could be stored and retrieved. Or perhaps just an API that would allow encrypting and decrypting, and the data could be stored in local storage or on a server.
Thanks for filing, CCing some more folks here for consideration.
<rdar://problem/70588887>
CTAP2.1/ WebAuthn level 2 adds an extension that allows storing a 256bit key with discoverable credentials. CTAP2.1 security keys are just coming out. At some point the platform authenticator in OSX and iOS could support the new feature.