I hate to go off topic, but I will. I think that I understand the thinking that suggested this policy, but how do you log in to sites that require 2FA on the actual device where you run the authenticator app? Or do you just have a device that has the authenticator app and that device is not allowed to log in to any site or app that requires 2FA?
I’m thinking that every device that is running an Apple OS can be set not to unlock without a passphrase, so I’m not sure why that isn’t good enough for this process? It would require locking your Mac when you left your desk but you should do that anyway.
Plus, of course, there are authenticator apps that can be set to use their own passphrase before they show the codes (Authy can be set this way), so that sounds like it would be a better policy. (Plus, as Adam mentioned, there is already an Authy Mac app anyway.). Authy can be set to cloud sync the secrets for the codes, but it doesn’t have to be set that way - each machine can be an island.
Of course it might be better in your company’s case to require unlocking with a hardware token device, like a YubiKey. But I know that they’re not always supported.