The second suggestion is not really that good as it adds quite a bit more work and risk.
Sometimes the simpler methods such as point 1 are probably good to go with. As with any security concern this will / should dictate the requirements. Having a separate database does add some benefit but would be more problematic.
I would go for point 1.
However, Have you looked into Windows Identity Foundation? It uses federated security whereby you could have multiple applications all signing on using a single user token. This is claims based authentication and would work quite well in multiple applications scenarios