[rkayg]

I work at Okta(https://www.okta.com/), a SSO product among other things, and we deal with this all the time. We use a variety of techniques to help secure the user's identity and access to various applications.

1. Use the SAML protocol to log in to apps as opposed to passwords. (See https://en.wikipedia.org/wiki/Security_Assertion_Markup_Lang... for more)

2. Use MFA as much as possible. Our product works with a variety of MFA options, including hard tokens, such as Yubikey, and more software based ones, like our own MFA app that pushes a notificication for MFA.

3. Generate random passwords for other applications that can be rotated frequently and easily.

There's a lot more we do underneath the covers and other ways of improving passwords and logins, such as adaptive MFA (prompt MFA if the login passes some threshold of suspiciousness)and no password login (simply use the multifactor token as the primary factor)