Doesn't webauthn have the same issue? If you think your logging in, but you're actually on a phishing site you'll have given the attacker a response they can forward onto the real webserver?
No. In WebAuthn site A can only request credentials for site A there is no way to say "Oh, er, I'm totally site B, give me the site B credentials". Everything is cryptographically tied to the exact DNS name of the site.
So the attacker at best gets valid credentials for their phishing site, which in WebAuthn are deliberately uncorrelated to other credentials, the attacker can't do anything useful with that information. In practice, of course you don't have or want credentials for their phishing site so they just get a Javascript error and give up.
So the attacker at best gets valid credentials for their phishing site, which in WebAuthn are deliberately uncorrelated to other credentials, the attacker can't do anything useful with that information. In practice, of course you don't have or want credentials for their phishing site so they just get a Javascript error and give up.