[agl]

WebAuthn protects the sign in, but malware can still steal the resulting cookies. DBSC protects the sign in _session_. (It should stand for Don’t Bother Stealing Cookies.)

[mmis1000]

If you read the proposal carefully. this api is used to refresh/revalidate extremely short lived cookie. not replace cookie itself. Which you can already do with webauthn

[nicce]

Maybe there is an assumption that this is easier to push through for masses because the UX is better. (no phone, no physical key required)

[ximm]

Webauthn always requires a user presence check though.

[mmis1000]

Seems the whole proposal exists solely because they are unwilling to add a "silence" option to webauthn. I am confused about the decision though.

https://github.com/w3c/webauthn/issues/199#issuecomment-2669...