Attack Surface Manager (ASM) only uses SSO with Bitbucket, Google and Microsoft Accounts. Oauth2 protocol is used. Such protocol only accepts login attempts from trusted URLs and has industry-standard 2048 bytes access tokens. We do not store any account passwords. The only personal information we store of our clients is:
Full name (provided by Google or Microsoft)
Company and cellphone (only if shared, user can decide)
It is also worth noting that if users lose their corporate email, they also lose access to their Attack Surface Manager (ASM) account. Clients can easily manage who has and who does not have access to their projects.