This is included webauthn, which is the basis for both passkeys and fido2 auth.
To sign in, you are sent a 'challenge', and must sign it and return it. The challenge includes a "Relaying Party Identifier" (RPID) which is basically the domain of the site requesting authentication.
That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.
The way I see it, it works for all the above. Passkeys are available on all devices, and whatever contact method the attackers use will harvest a signed response with an invalid RPID (a credential that won't work).
Yeah Iām thinking of how to integrate authn into messaging and phone apps. One idea is to add the phone to the web certificate so a remote check can be made during the call
To sign in, you are sent a 'challenge', and must sign it and return it. The challenge includes a "Relaying Party Identifier" (RPID) which is basically the domain of the site requesting authentication.
That way, if a phishing domain prompts you for auth, they can not proxy your response because the RPID you signed will not match the authentic domain, and therefore be invalid.