An IMEI (International Mobile Equipment Identity) is a unique 15-digit code that identifies a mobile device, like a phone, similar to a VIN number on a car.
So 8n simple terms the MFA service generates an encrypted string from “FREEREPUBLIC-USERNAME-PASSWORD” and turns it into a QR code.
Nothing else knows how to decrypt the string, except that specific MFA app. If you use a photo app, QR scanner app, or Google Authenticator, they’ll throw an error because they can’t decrypt it.
When you scan the code, your phone adds its EMEI. So the MFA server receives “FREEREPUBLIC-USERNAME-PASSWORD-EMEI”.
Registration over.
From that point on, your username and password are tied to that specific app and the specific handset. A simple unlock challenge regenerates the encrypted string, ie “this is my username, this is my password, and I’m using THIS phone with THIS EMEI.”
If that matches what you registered, you’re logged in successfully.
If you lose your phone, you can go through the registration process again on the replacement phone, which can be done by emailing you a temporary code.
Does the MFA service use a secret key to encrypt the FR-USERNAME_PWD string and the app use the same secret key to decrypt it? If that's the case could the adversary reverse engineer the app to find the secret key? If so, could you deploy each MFA with a unique private key and register the public key at the server during the registration step? Seems like one of several ways to avoid the shared secret key problem.
Is the IMEI for my phone secret, or can it be looked up by an adversary pretending to be me? Serial number portion of the IMEI is six digits and the rest (manufacturer, model) would be publicly known. The six digits might become public through signaling or some other third party use of the number. The fact that you have the IMEI in your own server database is a red flag because it's no longer secret.
I suspect what you really need is a unique code on the device that is guaranteed to be secret. Simplest solution is a private key. When I did my bit of phone-based authenication I used the secure key storage in Android. In short the private key remains in the secure enclave and the only thing you can do with it as a programmer is use it to sign a message. I sign the message, send it to the server, the server validates the signature using the public key. The public key is stored in the server during the registration step (my registration was someone complex but still a separate step like you are doing).