Depends on the service used. I currently have something like 40 services using Microsoft Authenticator with Entra ID, and 20 using Google. I also use Auth0, Cyberark, Nymi, Beyond Trust, and a few others.
The security is only as good as the security of the cloud platform. If someone can get onto the admin platform without MFA, all bets off.
Your EMEI is literally just a code representing the handset. This is why, professionally, I’d say NEVER lock MFA options down to MDM managed smartphones (the USA loves Apple MDM but you might as well advertise, “hack this one system and you’ve got the keys to the castle!”
If my employer got hacked they still wouldn’t be able to clone my MFA phone. It’s intentionally off grid. I’ve got the authenticators running in offline mode with the phone... Basically, it’s a 5 year old phone with no SIM and no WiFi, acting as a 60-in-one RSA token. It goes online only when I need to add another authenticator.
I used to use Myki password manager, which worked the same way. Passwords were stored in a TPM encrypted vault, private key known only to Myki. The sheer effort required to get into the vault (needed physical access to the phone with a way to bypass its biometric protection) combined with the fact nobody would know what passwords I had in there - made it borderline unhackable.
MS Authenticator creates a private key for each registered service, associating whatever data is in the QR code sent by the service to that private key. Registration is essentially completed by sending the corresponding public key.
There's no IMEI involved, not needed and not useful. Private keys stored in the phone can't be extracted by any method. Once registered the service just has to validate a signed message using the public key. Cloning is impossible.
If there is an app of any sort on a phone it would use PKI.