Passkey enrollment / migration phishing — impersonates Google / Microsoft / Apple / Yahoo / Okta / Duo / 1Password with a "we're enrolling you in passkeys, confirm this device" narrative. Either harvests the current password during a fake pre-enrollment confirmation step OR initiates a WebAuthn ceremony that enrolls an attacker-controlled device credential. Distinct from the existing `fido-passkey-downgrade-lure` (which pressures fallback-to-password on a victim who ALREADY has a passkey) — this signal targets the enrollment flow on victims who don't have a passkey yet. Shipped against the 2026 mass-migration wave: Google passkey-default Jan 2026, Microsoft passwordless-by-default enterprise rollout 2026, Apple iCloud passkey default iOS 18.4+. Evidence: FIDO Alliance 2026 Passkey Usage Report; Krebs on Security, Ars Technica, The Verge 2026 scam-wave coverage

Phishing emails that weaponize the 2026 mass-migration to passkeys. Google rolled out passkey-default for consumer accounts in January 2026; Microsoft began passwordless-by-default enterprise rollout in 2026; Apple made iCloud and Apple ID passkey-first in iOS 18.4+. Mass migration = mass unfamiliarity with the enrollment flow = mass phishing opportunity. The attacker impersonates the identity provider (Google / Gmail / Google Workspace / Microsoft 365 / M365 / Outlook / Office 365 / Apple ID / iCloud / Yahoo / Okta / Duo / 1Password / Authy / Authenticator) with a passkey-enrollment narrative: "Your Google Account is being migrated to passkeys, confirm this device now." "Microsoft 365 passkey enrollment required." "Apple ID: confirm this device for passkey setup." "Your sign-in method has changed — set up your passkey." The login link points at a typosquat host (google-passkey-enrollment.example, ms365-passkey-activate.example, apple-id-passkey-setup.example) that either captures the current password in a fake "confirm your current password before we move you to passkeys" step OR initiates a WebAuthn ceremony that enrolls an attacker-controlled device credential as the victim's new passkey — either path compromises the account fully. This signal is DISTINCT from `fido-passkey-downgrade-lure`, which fires on the opposite shape: a victim who already HAS a passkey, getting pressured with "your passkey is temporarily unavailable, sign in with your password instead" so the attacker can harvest the password. The enrollment variant (this signal) targets the much larger pool of users who haven't set up a passkey yet. Evidence: FIDO Alliance 2026 Passkey Usage Report; Google engineering blog January 2026 passkey-default announcement; Microsoft Entra ID documentation on enterprise passkey rollout; Apple Platform Security Guide iOS 18.4 passkey section; Krebs on Security + Ars Technica + The Verge 2026 coverage of passkey-migration scam waves. Legitimate passkey-enrollment emails from the real identity providers link exclusively to their own domains: `accounts.google.com`, `myaccount.google.com`, `login.microsoftonline.com`, `appleid.apple.com`, `icloud.com`. Any passkey-enrollment email whose link target is a non-IdP host is, by construction, a phish. If in doubt, go directly to the identity-provider's real account-security page via a bookmarked URL and initiate passkey setup there.