There was a good thread on HackerNews recently regarding passkey and 2FA using email.
This person had a summary explaining the exploitation scenario:
https://news.ycombinator.com/item?id=44819917#44820331
Essentially- normal humans don’t scrutinize certificates/ website domains.
This is exploitable by malicious humans who send people a link to a page they control and trigger a 2FA login flow at the legit site. They trick the user into sharing the 2FA code directly with them. This stuff seems pretty obvious- but the summary explanation in the above comment is nice and tight.
This person had insightful counterarguments:
https://news.ycombinator.com/item?id=44819917#44820657
Specifically- 2FA fishing is mostly solved if remove/copy pasting of credentials.
I agree.
If sec engineers were thinking more about how to make user sign-in flows to be ruthlessly low friction, we’d be ok. Instead we over-index on a sign-in ritual that results in weakened security.
“I think this is mostly solved, or at least greatly mitigated, by using a Slack-style magic sign-in link instead of a code that you have the user manually enter into the trusted UI”