[2OEH8eoCRo0]

Is it a SHOULD vs SHALL issue? Link to full spec?

[Hamuko]

It's SHOULD as per RFC2119, so basically you need to have a good reason with an understanding of the implications to ignore it.

One of the implications here being that you have zero available authenticators if your main authenticator breaks.

https://www.w3.org/TR/webauthn-2/