Hi Robert,
you can find several discussions about this at https://security.stackexchange.com/.
I personally think in an enterprise environment the users MUST NOT transfer the app to another phone. Well, if you are some application provider like Amazon, you might be interested in doing so. Because you want to push many tasks to the user.
If you are in an enterprise environment you especially do not want to ALLOW the user to transfer the token to another phone. Think of there might be policies, that the token is only available on ONE pyhsical device. Maybe the company has controlled, that the token was enrolled to this very specific device…
This is may opinion.
The privacyIDEA server does not allow to do so. You could however find an App, that would allow to create a backup of the token. The privacyIDEA Authenticator App also does not allow this.
Kind regards
Cornelius