The order in which authentication options are presented is dependent on the default authenticator override on the rule.
The prebuilt UI will default to the following:
1) the default authenticator override on the rule, if configured,
Then
2) the user's preferred default, which they can set in the UI,
Then
3) it will fall back to a priority based on security: passkey -> SMS -> Email.