Sadly I haven’t managed to find a way to make keycloak prefer security keys for 2FA over TOTP. I always get the TOTP prompt first, then have to click "try another way" and select security key.
It depends on the order that the user registered their 2FA, since they are ordered (and an admin can move factors up/down in the admin interface).
If you move the WebAuthN devices above the TOTP, Keycloak will first ask for the WebAuthN key with a button to switch back to another method (TOTP). It's slightly annoying.
