I'm working to implement MFA for remote users leveraging Access with an Authenticator App

I'm good with the understanding and setup of applications and policies in Access.  I'm setting up a policy for external users to authenticate with an unregistered device so for MFA I would like to request password and auth. app.

In thinking over the design I'm stuck in a chicken or the egg problem.  How does the user register the auth. app. using MFA?  I'll try to explain what I'm thinking.

When using an authenticator app in a policy if the user is has not previously registered an authenticator app they can choose to register one.  In my mind I'm thinking if someone's password has been stolen by a bad actor and they have not previously registered an authenticator app, couldn't the actor just register their own authenticator app thereby defeating the intended MFA?  If the authenticator app is not in an approval workflow or requiring its own MFA to register then doesn't this present a problem?  Or am I missing something?