What if I have a smartphone app that has a secretphrase encrypted with the data in a qr code kept somewhere else, then I need to scan that qr code to decrypt the secretphrase, the app signs the transaction bytes with it and then discards the secretphrase and qr code data.
This isn't true 2FA. In 2FA the code is generated dynamically, so it changes every 30 second and can't be reused.
What you describe here is static password in the phone that you are scanning instead of typing.
That isn't 2FA
Nxt client never saves the password anyway, so if you don't like typing that password, you can write an app that scans it instead. Same thing. This isn't 2FA