FIDO2/WebAuthn is only works over HTTPS(Secure context). There is additional token binding that will prevent malware attacks by binding TLS session to the assertion.

FIDO will kill phishing. Full stop.