Interesting, I was about to start a discussion on this. We are on a similar path with our Windchill system and have a prototype working in our development environment.

First of all, customizing Windchill to achieve is a costly affair to design,develop and maintain. You can do only so much with basic authentication and to have better flexibility you will have to switch to a form based authentication. I am not sure how many of these authentication servlets are supported for customization. Needless to say, you are on your own for any upgrades or updates.

1. Best option is to use an SSO/ADC solution to manage the application delivery and authentication. Netscaler has something called nFactor authentication which does exactly what you said. It extracts the group information from a directory service to determine the authentication policy. I have some notes on how to set this up which I can share if you are interested.  The downside of this is that you need to procure a SSO solution, most of the companies own some sort of SSO solution, look to see whether you can leverage this if you have one. By installing an agent on the Webserver you can control the authentication,
2. Alternate option is to use Apache with radius server and a 2F authentication provider - RSA or WIKID or Google Authenticator, if you can configure a reverse proxy dedicated for this  group of  users, you can turn on authentication specific header variable from the reverse proxy. Radius server can be configured to read the header variable, and turn 2 factor authentication on or off.  Need a WiKID Secure Windchill System?‌ - LiveWorx16 this is a very good presentation on this by Shawn from Boston Engineering