This is true for some 2FA methods but you can literally publish all the data for WebAuthn and it won't make any difference to the security for your users or your site. Same reason seeing the certificate for Hacker News doesn't get you any closer to successfully impersonating the site, public key cryptography.
Bad guys who steal my WebAuthn credentials for foo.example don't learn how to sign in as me on any site at all, even on foo.example. If they break into another site. bar.example and steal all their WebAuthn credentials too, they can't even correlate them to figure out who has sign-ins on both sites.
Bad guys who steal my WebAuthn credentials for foo.example don't learn how to sign in as me on any site at all, even on foo.example. If they break into another site. bar.example and steal all their WebAuthn credentials too, they can't even correlate them to figure out who has sign-ins on both sites.