Is the organization required to comply with any regulatory requirements that may affect the type of authentication used?
As the federal government or other regulatory agencies get more involved in the protection of customer or patient information, organizations may find themselves required to follow regulations or face stiff penalties. These could include HIPAA for healthcare, PCI for companies that work with customer credit card information or FERPA for educational institutions.
One of the bigger issues at play here is the fact that the organization may not even be aware of these regulations. As the security professional and adviser to the organization, you should point out what the customer needs to consider. It will also have an impact on the recommended solution you end up installing. Protecting customer financial information may be a high priority for the organization, so consider what methodologies will provide the best protection for the organization while still taking into account any financial or complexity constraints.