You must complete a risk-based analysis based upon the users, risk appetite, the organisation in question and the data secured.
This may include considerations such as;
- the classification level of the data
- results of the organisation's risk assessments
- any regulatory requirements governing data
- the security maturity of the organisation
Once this has been completed it's findings should be used to implement an overall policy.
Users handling secure data may be disallowed to use mobile phone's at all. Most capable multi-factor authentication systems allow policies that can restrict the ability to install the application on a mobile phone.
Some organisations have granular control, over their user's devices, with a Mobile Device Management applications. In this scenario, it may be prudent to allow corporate users to use their work's mobile phone for authentication with a phone application.
Others may even allow personal mobile phones; if the data handled is not classified or the risk is low.
We used MDM to push certs to a phone - that's a what you have. Access to the phone is PIN or fingerprint (what you know or what you are) so it's 2 factor. Application being accessed is cert required. This wasn't an easy path to do this, getting certs to work with some apps isn't easy.