Thank you for all who provided feedback.
The problem with the presented approach is this: when second action is sent with the 2FA code, there's a high chance the BP that will process it to not be the BP that processed the first action, the same BP that generated the 2FA code, and sent it via email to the user; because of that the BP that processes the second action can not decrypt the 2FA code stored by the first BP (unless it is the same BP). For this to be solved the second BP has to encrypt the stored 2FA code as well, first BP decrypt it and now the second BP can decrypt it using its key (employ the asymmetric key encryption flow).

Other resources:
https://www.thinkmind.org/download.php?articleid=iciw_2017_4_10_20037
https://bitcointalk.org/index.php?topic=603531.0