Summary
Add an account security option that enforces FIDO2 security keys as the only allowed 2FA method when a user signs in from a new or untrusted device.

Problem / Current Behavior
In the current login flow, when a user has a FIDO2 key enabled the user can fallback to OTP-based 2FA rolling codes. This creates a downgrade path.

Desired Behavior (What should change)
Provide a ON/OFF setting such as: “Require FIDO2 security key for new/untrusted devices.”

When enabled
• FIDO2 is required when signing in from a new/untrusted device.
• OTP fallback is not offered in that same new/untrusted device flow.
• On already trusted devices, the service may continue using the existing “trusted session” behavior.

Trigger Condition
FIDO2 only enforcement is triggered only when the service determines the login attempt is from:
• a new device, or
• an untrusted device/session

Preconditions and Safety Net (Required before enabling)
To prevent lockouts, require the following before the user can enable the option:

• Recovery code generated and confirmed by user
• At least two registered FIDO2 keys
• A clear warning + acknowledgement: enabling this can block access if keys are lost