To add on, at my work we started getting yubikeys for the people who didnt want Microsoft's authenticator on their phone and found they still need to download the mfa to set up the yubikey in the first place. So its not a perfect solution if you dont want the authenticator to touch your phone at all.
I can also confirm that the help desk members who are not enlightened about Microsoft will ridicule you for not wanting the MFA even if its reasonable to not want Microsoft on your phone. As much as we think all techs are Linux nerds, I have the opposite at my work. Some of the higher up techs are constantly trying to get people to switch to windows 11...
Wouldn't they just wipe it and put windows on it or sell it if they didn't know how to use it? Most thieves don't keep stuff like stolen computers around.