However, I can't find any way to set either FIDO2 security key or mobile app code-only for SSPR. Mobile app code SSPR option is requiring setting up a second SSPR option such as SMS. I don't see any option to add FIDO2 security keys or hardware tokens for SSPR at all.
We want to set users up so their options for MFA and SSPR are just authenticator app OTP codes (if the user uses a smart phone) or FIDO2 tokens (if they don't use a phone). We don't want SMS, email or security questions enabled at all even as a secondary option.