> do not control the signing key which is ultimately used to associate app <-> domain <-> passkey, and they do not control the system credentials service which checks this association.

You're assuming the attacker must go through the credential manager and the backing hardware, but that is only the case with attestation. Without it, the attacker can simply generate their own passkey in software, because the backend on the banks side would have no way of telling where the passkey came from.

▲

tadfisher 2 hours ago | parent [-]

How did the service authenticate the user in order to create the new credential within the attacker-controlled app?

▲

Tharre 2 hours ago | parent [-]

With banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?

	▲	tadfisher an hour ago \| parent [-]
		I am just pointing out that you are essentially saying passkeys can be phished because banks can allow phishable credentials to bypass passkeys.