How did the service authenticate the user in order to create the new credential within the attacker-controlled app?

With banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?

	▲	tadfisher an hour ago \| parent [-]
		I am just pointing out that you are essentially saying passkeys can be phished because banks can allow phishable credentials to bypass passkeys.