The way I see it, it works for all the above. Passkeys are available on all devices, and whatever contact method the attackers use will harvest a signed response with an invalid RPID (a credential that won't work).
Yeah I’m thinking of how to integrate authn into messaging and phone apps. One idea is to add the phone to the web certificate so a remote check can be made during the call
