It could be worth to check the state of WebAuthn without HSK (e.g. using a TPM).
If this is available friction-less for most (non advanced) users then this could be a nice choice. And the email OTP is only needed when they login from a new device (which you can detect and handle it roughly like a password reset workflow).
Through I'm not sure what the state of WebAuthn for non HSK use-cases is.
Using email OTP as "reset/new device" mechanism and fallback in case the platform doesn't support WebAuthn.
Platform authentication means it uses TouchId/FaceId/etc. which people are already somewhat familiar with.
And email OTP as password reset is something people are used to. (They are also often used to resetting passwords all the time on rarely used accounts.)
The question is just how many of your users are on devices which support it. (And how hard it is to implement it with the tooling you use.)
If this is available friction-less for most (non advanced) users then this could be a nice choice. And the email OTP is only needed when they login from a new device (which you can detect and handle it roughly like a password reset workflow).
Through I'm not sure what the state of WebAuthn for non HSK use-cases is.