2FA is such a hassle that IMHO it's only worth it for high-stake accounts. 20+ characters long random passwords are totally adequate security for most accounts and you don't get constantly harassed by 2FA prompts.
WebAuthn prompts aren't a big hassle. On this desktop I reach over and touch the Security Key, on my phone I tap the fingerprint sensor. Because the phone is entitled to set UV since it knows that's my fingerprint not somebody else picking up the phone, they could replace the password step which is more annoying.
WebAuthn is good, easy to use, quick to complete, and more secure than "enter the number we send you", so I like it. Unfortunately most services (that I use, anyway) are stuck in the "let's make you wait 1-2 minutes for a SMS" or "use our/your authenticator app". I find this especially annoying in conjunction with services that seem to use "risk-based authentication", because using an adblocker and anti-fingeprinting = extreme maximum risk for those, i.e. let's force 2FA auth for every action even after five minutes (sometimes, seconds!).
And as far as RBA goes, if they don't go full-2FA, they'll often somehow go for password instead of second factor to verify. I tend to keep my password manager locked when not in active use, so that's more hassle for me on services that DO use WebAuthn (Github, Google) than if they'd just use WebAuthn for the "high risk action" verification.