Cannot use Microsoft Authenticator app

1.) Based on my research, you cannot set Security Key as the default login option for all users on everything, because not all Microsoft applications currently support security key-based sign-in. (For example, Azure AD PowerShell, login to Azure AD/Office 365 services on iOS, or even with Outlook/Teams running on Windows.) Security key (FIDO2) based sign-in is an optional feature and is not enforced since not all Microsoft services are compatible with security key based login.

Rather than changing the default, users can add the USB key and select "sign in another way". Or they could delete the other verification methods.

They do also have the option to specify a security key as the preferred method to open the lock screen. https://video2.skills-academy.com/en-us/azure/active-directory/user-help/user-help-sign-in?toc=./toc.json#sign-in-using-a-security-key-at-the-lock-screen

https://support.yubico.com/hc/en-us/articles/360015669179-Using-YubiKeys-with-Azure-MFA-OATH-TOTP
https://techcommunity.microsoft.com/t5/azure-active-directory-identity/hardware-oath-tokens-in-azure-mfa-in-the-cloud-are-now-available/ba-p/276466
https://www.reddit.com/r/sysadmin/comments/gwice3/microsoft_mfa_with_usb_key_as_default/

2.) Windows Hello for Business with Intune will allow users to authenticate using a fingerprint reader. If they do this they are required to have both biometrics and a pin set up. The data is stored on the local device though, and not stored in Azure.

"Windows Hello for Business is an alternative sign-in method that uses Active Directory or an Azure Active Directory account to replace a password, smart card, or a virtual smart card. It lets you use a user gesture to sign in, instead of a password. A user gesture might be a PIN, biometric authentication such as Windows Hello, or an external device such as a fingerprint reader."