1. FIDO is available on all browsers.
2. FIDO is the only widely adopted phishing proof authentication protocol we have today

“How make sure 100% that server can authenticate the real user and not a phishing attacker?”

You:

1. Verify challenge — if fails, MITM detected
2. Verify origin — if fails, phishing attack is detected
3. Verify counter — if fails, replay attack is detected
4. Verify signature — if fails, MITM or/and phishing attack is detected
5. (OPTIONAL) Verify attestation against Metadata Statements that you have loaded from Metadata Service, to ensure that authenticator manufacturer is FIPS/CC or FIDO certified.
6. PROFIT!!!

Does this answer your question?

I understand that this article might be too technical, so here are the slides on U2F. https://slides.com/herrjemand/fido-u2f-kiwipycon-2016

The schemas applicable to all of the FIDO protocols.

Here is the article version: https://research.aurainfosec.io/u2f-phishing-proof-2FA-for-general-human-beings/

If you would like to hear my terrible voice here is the video: https://www.youtube.com/watch?v=Mxk3ueCkZG8