What separate auth operation is needed besides authenticating with the local device to unlock a passkey?

There was the one case with the scammers in the UK using a homemade cell tower to essentially send out phishing texts directly to cell phones in an area, completely bypassing the phone company. It seems like this scare texts scenario would fit that kind of tech even better, as you only need to send out a message once to a large amount of people and you don’t need to collect information in response like in a phishing scenario.