Does the MFA service use a secret key to encrypt the FR-USERNAME_PWD string and the app use the same secret key to decrypt it? If that's the case could the adversary reverse engineer the app to find the secret key? If so, could you deploy each MFA with a unique private key and register the public key at the server during the registration step? Seems like one of several ways to avoid the shared secret key problem.
Is the IMEI for my phone secret, or can it be looked up by an adversary pretending to be me? Serial number portion of the IMEI is six digits and the rest (manufacturer, model) would be publicly known. The six digits might become public through signaling or some other third party use of the number. The fact that you have the IMEI in your own server database is a red flag because it's no longer secret.
I suspect what you really need is a unique code on the device that is guaranteed to be secret. Simplest solution is a private key. When I did my bit of phone-based authenication I used the secure key storage in Android. In short the private key remains in the secure enclave and the only thing you can do with it as a programmer is use it to sign a message. I sign the message, send it to the server, the server validates the signature using the public key. The public key is stored in the server during the registration step (my registration was someone complex but still a separate step like you are doing).
Depends on the service used. I currently have something like 40 services using Microsoft Authenticator with Entra ID, and 20 using Google. I also use Auth0, Cyberark, Nymi, Beyond Trust, and a few others.
The security is only as good as the security of the cloud platform. If someone can get onto the admin platform without MFA, all bets off.
Your EMEI is literally just a code representing the handset. This is why, professionally, I’d say NEVER lock MFA options down to MDM managed smartphones (the USA loves Apple MDM but you might as well advertise, “hack this one system and you’ve got the keys to the castle!”
If my employer got hacked they still wouldn’t be able to clone my MFA phone. It’s intentionally off grid. I’ve got the authenticators running in offline mode with the phone... Basically, it’s a 5 year old phone with no SIM and no WiFi, acting as a 60-in-one RSA token. It goes online only when I need to add another authenticator.
I used to use Myki password manager, which worked the same way. Passwords were stored in a TPM encrypted vault, private key known only to Myki. The sheer effort required to get into the vault (needed physical access to the phone with a way to bypass its biometric protection) combined with the fact nobody would know what passwords I had in there - made it borderline unhackable.