Would a passcode (different from phone, of course) or biometric unlock for the 2FA app count? For example, I have bitwarden and Aegis, both have fingerprint unlock when opened with a reasonably short timeout. So, even if my phone pin was compromised, both would still require biometric unlock to access.