I understand that FIDO webauthn protocol is phishing proof, but why would a phishing website ask user to go through webauthn, instead it can plainly ask for username/password.
What im trying to imply is that FIDO is phishing proof for a service only if it completely enables FIDO on all its authentication endpoints. If it has FIDO on few endpoints but has even one endpoint which is single factor , then you are still prone to phishing. My understanding is that when FIDO says its phishing proof, it means even if the attacker gets hold of your credentials, its useless as they still have to use FIDO key to access the account. And since a single factor endpoint exposes that, you are not phishing proof unless you completely to FIDO. Am I correct in my understanding?
Correct - no point implementing MFA unless all endpoints enforce it. That means that if you have a legacy API that takes username and password then it should not be possible to authenticate via it if the user account has FIDO2 enabled.