Erik van Straten@nekodojo : you may receive a convincing email or SMS inviting you to create a passkey at CapitalOne (or any other organization).
It'll contain a link to a website that looks exactly like CapitalOne's. However, the domain name will differ. The site will perform an AitM (Adversary in the Middle) attack.
In order to create a passkey, you'll have to log in first, typically by providing your email address and password, optionally combined with a 2FA code (text message or from an authenticator app).
The fake website will immediately forward all credentials you provide to the real CapitalOne website. Not you, but *they* will log in to CapitalOne.
If the scammers continue to let you create a passkey, it'll be useless, because it's valid only for the fake website.
Meanwhile *they* may create *their* passkey at the real CapitalOne website. That is, apart from changing your password (and other data, like a recovery code) to prevent you from logging in again (soon).
Note that a passkey's public key is *not* embedded in a certificate signed by a trusted third party confirming the *owner* of the public key (+ associated private key).
Screenshots below just made by me:
left = real CapitalOne login page
right = fake AT&T login page (AitM).
