Passkeys face a similar issue to when password managers don’t autocomplete credentials: we’re accustomed to technology not working well due to poor implementations, so when it does not work we may assume it’s just unreliable and resort to alternative authentication methods instead of suspecting something suspicious. Of course, when they work well, they are much more secure, and if passkeys were reliable enough to not ever need passwords that would solve a lot.
I thought that passkeys were domain-bound through a challenge response mechanism?
That should completely prevent fishing of this simple MitM the 2nd factor. At least, that's how I've seen it be sold.
Yes. So when it prevents the phishing attempt there's a good chance that quite a few people will assume something broke and attempt an alternative login method - with the phishing "service".
