We delayed the deployment of mandatory MFA to allow us to plan for the change, purchasing YubiKeys to be used by our break-glass account(s).
Setting the keys up, I'm told the accounts first need to setup an alternative MFA method before the key can be enrolled https://learn.microsoft.com/en-us/entra/identity/authentication/how-to-register-passkey-with-security-key
Why is this. If an account doesn't have MFA setup already, then there's no benefit to setting up another MFA method before I can enroll the YubiKey.
Obviously I can setup MFA for the break-glass accounts, setup the YubiKey, then remove the other MFA method. Unless I'm missing something, it seems an unnecessary step that doesn't improve security. Why can't you just setup a security key without having another MFA method setup first?