1. Technically, all private keys on Ledger are derived from the seed phrase so it's possible to use it outside of the device. But I would like to discourage people from using the seed phrase online because that's how people get their assets compromised. In such a case, the best way would be to configure a new device with the same seed phrase.

2. There is no straightforward way to do that for an average user at the moment, although it's technically possible to sign custom_json operation. I'm going to work closely with Hive Keychain team to add the ledger support (hopefully soon).

My recommendation would be to advise your users to replace the owner key only. This will make sure your users won't leak it and do not compromise the account completely. This will not secure liquid tokens obviously but it will prevent the account from being taken over.