With banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?

I am just pointing out that you are essentially saying passkeys can be phished because banks can allow phishable credentials to bypass passkeys.