zlacker

Google Authenticator lets you export your entire set of secrets as a QR code. In fact, you can even store them on Google's servers. Though I have no clue why you would do this instead of just printing out the QR code and storing it in a lockbox...

Furthermore nothing prevents you from just taking pictures of the individual enrollment keys and printing those out either.

If you want TOTP 2FA that actually follows a one key per device policy you need to buy hardware tokens with some kind of out-of-band keying mechanism and enroll those. Then your problem changes from "how to stop people from copying my 2FA tokens" to "how to not get locked out of my account when my 2FA key device breaks."