According to the documentation, the loginless flow consists only of a single execution:
It states that:
You can now add the required action WebAuthn Register Passwordless to a user, already known to Keycloak, to test this. The user with the required action configured will have to authenticate (with a username/password for example) and will then be prompted to register a security key to be used for loginless authentication
So with that configuration an existing user without a registered security key should be able to login with their user/password and then offered to register the security key.
However, given that our authentication flow only has a single step (WebAuthn Passwordless Authenticator) they are never asked for their user/pass, instead, they are only offered the security key login directly:
Press sign in:
How can we support loginless auth and user/password for users without a registered device?