At SendCloud we use various administrative systems which allow our employees to help our clients whenever necessary. Authentication for SendCloud employees who are granted such access is protected via a single sign-on with our central authority system. We enforce 2FA and strong passwords on all accounts. The administrative system keeps an audit trail.
Access to the administrative system is controlled via a fine grained role system, only providing access to the data needed based on the employees function and seniority.
On other external programs access is granted via the central authority system as much as possible. This way we enforce strong passwords and 2FA on these systems.