Yes, I understand how phishing with 2fa works. But to me, passkeys sound like 2fa with your fingerprint/smartphone PIN? What's actually different there?
The difference is in step 4. With SMS or one-time code 2FA (or passwords) you're just entering text into a website, and nothing verifies you're interacting with the right website. With passkeys or FIDO tokens, though, there's a cryptographic protocol that considers the domain: your fingerprint/PIN isn't sent to the website.
So, evil.example tries to log in and triggers the passkey thing on my smartphone. My smartphone asks "Do you want to log in to good.example?" Because I'm currently being phished and didn't pay attention to the URL "evil.example" anyway, I will confirm this on my smartphone and evil.example is granted access to my account. I don't see how this is more phishing resistant than current 2fa. How can my smartphone know whether I'm interacting with the correct website on my laptop?
> How can my smartphone know whether I'm interacting with the correct website on my laptop?
Because when evil.example requests the passkey it has to do so through browser APIs [1], and it can't lie about its domain name. Your browser is what reaches out to your phone, which is how your phone learns what domain you are actually on.
This is maybe an oversimplification, but the token that your phone gives your laptop includes "only valid for good.example". Your browser on your laptop then knows not to send it to evil.example.
What is the scenario in which SMS one-time codes are prone to fishing, but passkeys are not?