[mimming]

Essentially it borrows the protections from TLS. Here's a link to the relevant part of the spec: https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fid...

(Sorry if this comes across as RTFM, but I figured the source is better than my attempt at explaining)

[superzamp]

Not at all, the specification is indeed very clear. Thanks for the link!

[Boulth]

Channel ID has been depreciated and replaced by Token Binding but I'm sure U2F sites don't use either. The real protection is quite simple: incorporating the origin (domain name) in the protocol. So phishers would get a bad response from the token.