Why would access to the fingerprint sensor give the ability to forge WebAuthn signatures? An app being able to detect that the phone’s user has their finger on the sensor does not in any way compromise the security of a different app doing the same thing.
Obviously one could write a malicious browser that implements WebAuthn wrong and compromises users who register with a site using that browser. This leads to discussions about WebAuthn attestation, and there are valid arguments there both ways.
> Why would access to the fingerprint sensor give the ability to forge WebAuthn signatures?
It wouldn't? No apps get access to the fingerprint sensor, it's very hard to imagine any legitimate purpose for that, and easy to imagine hostile use cases.
The operating system doesn't give access to the fingerprint sensor, it provides an API for doing FIDO (the underlying technology to deliver WebAuthn) and the fingerprint sensor is used by the operating system to provide User Verification for that.
The API takes a parameter for the Relying Party Identifier. For most phone apps, you can't control this, it'll be set to an ID for your app, which you can discover and fill out in your server backend. This way your app can authenticate your users to your servers, but other apps can't imitate it.
But for WebAuthn the RPID is based on the DNS name of the web site, so a web browser needs a way to actually set this value or it can't do WebAuthn. Hence, Android needs an extra permission flag to authorise legitimate web browsers to set the RPID while preventing untrustworthy apps from doing so.
This sounds like a mediocre design. An entirely separate key hierarchy per app would avoid any possibility of confusion signatures with those generated by another app, even if both apps were web browsers.
Obviously one could write a malicious browser that implements WebAuthn wrong and compromises users who register with a site using that browser. This leads to discussions about WebAuthn attestation, and there are valid arguments there both ways.