Passkeys or WebAuthn, TOTP based 2FA (regardless of whether it's hardware or software based) is vulnerable to phishing. Protocols like WebAuthn are tied to the domain and is a lot trickier to compromise (at least not without significant effort).
A lot of people here are complacent when it comes to phishing because they believe "I am a big overpaid technical person on Hackers News, I am not dumb enough to fall for suspicious links unlike those dumb unwashed masses" but as most security people know, the sort of mass phishing attempts your grandma receives are relatively low effort compared to actual targeted spear phishing. A dedicated phishing attempt won't have broken English, CSS styling issues, weird punycode etc. It would be practically indistinguishable from the real thing unless you were specifically looking for it.
TOTP (thing that generates the 6 numbers every 30 seconds) whether that's a dedicated device (secure but very annoying) or a TOTP app on your phone (what most people use).
I at least have a different user account that only does TOTP but it isn't really a second factor if it is on the same device (since the idea is to make getting access to the code significantly more difficult than just getting access to the password).