Pins can still be phished. Just make the phishing a live proxy resembling the real site.
A fundamental difference with e.g. FIDO2 (especially hardware-backed) is that the private credentials are keyed to the relying party ID, so it's not possible for a phising site to intercept the challenge-response.
One of my banks uses a card reader and pin to log in, seems more secure.
Pins can still be phished. Just make the phishing a live proxy resembling the real site.
A fundamental difference with e.g. FIDO2 (especially hardware-backed) is that the private credentials are keyed to the relying party ID, so it's not possible for a phising site to intercept the challenge-response.
That’s just as bad. You need to take out the human error out of the equation.