I think I understand what you’re asking for: when an Android user goes to launch the Duo Mobile app, Duo Mobile would prompt them for a PIN before allowing them to approve a push authentication request. Correct? The desire is to minimize the vulnerability of an attack-scenario where the attacker has physical access to the user’s 2FA device.
Instead of requiring a PIN to launch Duo Mobile, our approach to solve for this scenario is slightly different - with a PIN-protected screen lock on the device.
Enabling screen lock with passcode on iOS or with PIN on Android secures devices by requiring input of a numeric code when turning on your device or unlocking the screen. If the screen is locked when a Duo Mobile push authentication request is received, then the screen must be unlocked before approving the authentication request.
Note that this does not force the user to set up a screen lock, it merely prevents them from approving a push authentication request authentication until they do. Google Apps Policy settings do not need to be adjusted and passwords will not need to be reset.
If you already have an MDM policy in place that requires a screen lock, great. If you have a BYOD user population, adding a screen lock with PIN would be something they could voluntarily opt into for the added convenience of approving push authentication requests from their personal phones. We’d love to hear more about how this intersects with your Google Apps Policy and password resets.