Add multifactor authentication, allowing users to use a TOTP or security key. This would be especially important for protecting admin accounts which have access to a vast amount of PII.