Keycloak: Add big bold warning for users to BACKUP THEIR MFA on the "Add new MFA" form
This is twofold, I think:
On the TOTP form, add a big warning for users backup their TOTP codes via an app that supports this (on Android, at least Aegis does). Also, make users aware in the same warning that they could use a second TOTP if they want.
On the WebAuthn form, urge users to have at least one TOTP on top of the WebAuthn (or a second WebAuthn device)
In all cases make users aware of the fact in no uncertain terms that it's really their responsibility to not use access to their account and that it will be tedious if at all possible to restore access once lost.
Maybe take inspiration from GitHub on all of this.