This update helps organizations accelerate adoption of phishing‑resistant credentials by allowing administrators to opt users into Passkeys and deliver Passkey registration nudges during sign‑in.

Anecdotally, I'm not sure sign-in time is the best time to prompt users to enroll Passkeys. I get that it's a convenient time, but both in my professional and personal life, I see so much enrollment happen because the user is just trying to get past to prompt to do whatever they came here to do. Users don't necessarily understand that they've just enrolled a synced/not-hardware-attested Passkey that won't necessarily be on all of their devices the next time they need to authenticate , that they could lose this Passkey if they retire this device, how to ensure Passkeys are synced where they need them to be, and what their fallback methods are, if any.

It often feels to me that users are tricked into enrolling a Passkey without any user education and then they hit a lot of friction later when a Passkey isn't available.