If it can go online, I'd prefer to use an android work (or user) profile with only auth apps in it, and nothing else.

As a separate device, it should be offline always IMO, and perhaps the size of a passkey. Or one of those banking devices with a display that show an authenticated text saying what you are confirming.