And even a passkey on a phone that doesn't require authentication is immune to remote phishing and cloning.