How did the service authenticate the user in order to create the new credential within the attacker-controlled app?
replyWith banks, typically a combination of your account number, pin and some confirmation code sent via email or SMS. And of course unregistering your previous device. Not sure where you're going with this though?
replyI am just pointing out that you are essentially saying passkeys can be phished because banks can allow phishable credentials to bypass passkeys.
reply