So, evil.example tries to log in and triggers the passkey thing on my smartphone. My smartphone asks "Do you want to log in to good.example?" Because I'm currently being phished and didn't pay attention to the URL "evil.example" anyway, I will confirm this on my smartphone and evil.example is granted access to my account. I don't see how this is more phishing resistant than current 2fa. How can my smartphone know whether I'm interacting with the correct website on my laptop?
> How can my smartphone know whether I'm interacting with the correct website on my laptop?
Because when evil.example requests the passkey it has to do so through browser APIs [1], and it can't lie about its domain name. Your browser is what reaches out to your phone, which is how your phone learns what domain you are actually on.
This is maybe an oversimplification, but the token that your phone gives your laptop includes "only valid for good.example". Your browser on your laptop then knows not to send it to evil.example.
