That device you mention exists, and it works with most computers that have Bluetooth (I can’t think of an example where it hasn’t).
You should be able to use a device that’ll show up if you search “Bluetooth fido2 u2f”. Your administrator may need to enable webauthn security keys in the admin panel for Duo.
Many of the devices also support a USB mode, so if you can plug in or it has Bluetooth it’s compatible.
Aside from this being a totally solvable problem without you getting a new phone, and with very reasonable steps and affordably: you should really get a new phone.
Feature wise the phone might not have anything you need, but your current phone has stopped receiving security updates, which is an issue. In general you should have a phone that is still receiving timely security updates.
Having an unsupported phone is like having a front door with a lock that’s possibly broken. It “works” in that it covers the hole in your house, and it might stop someone who wants to walk in, and the likelihood that someone tries is probably low, but there’s a good chance that if someone did try, they would find it hilariously easy.
It’s reasonable for your employer to only allow authentication from a secure device, which unfortunately yours is not.