[Nextgrid]

Centralized management of those is near-non-existent though.

I'd recommend Yubikeys (or actual smartcards even, if hardware constraints allow) used in PIV mode with a client certificate authing to an internal SAML/OIDC provider which seamlessly bridges to third-party apps.

This is immune to phishing because there's literally nothing to phish, beyond maybe the PIN but it's pretty pointless as it would still require the Yubikey/smartcard to be of any use. When done well, it's also a great UX because nobody ever sees an actual login screen. Unlocked smartcard present = you are logged in everywhere.