you basically just have to create a new 'browser flow' and enable this one in the realm you wish to authenticate with. It wasn't really possible to add multiple keys to the user the last time i configured it -- but according to the docs, that seems to be resolved so it probably is worth another look.
Sadly I haven’t managed to find a way to make keycloak prefer security keys for 2FA over TOTP. I always get the TOTP prompt first, then have to click "try another way" and select security key.
It depends on the order that the user registered their 2FA, since they are ordered (and an admin can move factors up/down in the admin interface).
If you move the WebAuthN devices above the TOTP, Keycloak will first ask for the WebAuthN key with a button to switch back to another method (TOTP). It's slightly annoying.
@stavros, not sure if OSS is a requirement, but my current employer is in the same space.
It is not open source, but there is a gratis/free as in beer edition that you can download and use commercially (for certain usage: https://fusionauth.io/license-faq#3 ).
It's pretty great, but you should be aware that the LTS version is called red hat single sign on (rh sso), and the keycloak itself updates every few months.
It's usually not a deal breaker, but you should be aware if you're going to evaluate it for work
https://keycloak.ch/keycloak-tutorials/tutorial-webauthn/
you basically just have to create a new 'browser flow' and enable this one in the realm you wish to authenticate with. It wasn't really possible to add multiple keys to the user the last time i configured it -- but according to the docs, that seems to be resolved so it probably is worth another look.