The OWASP auth cheat sheet discusses many of the options for making that phishing of a password useless instead of reacting to its use.. Separate IDPs with weak mfa, fido, etc. And of course if one isn't doing small-time bland business one should consider more complete computing silos for many things, signed email or separate double ratchet oriented messengers, etc.