If the customer requires that the EDS be legally significant, then you need to use the "Orthodox algorithm and CIPF", in this case, if you will use "hinged" CIPF licensed (Cryptopro, Verba, etc.), then you personally do not which does not need to be licensed (expensive). But if you are going to implement CIPF or use unlicensed ones, then you need to be licensed.
If the customer does not need to use a legally significant EDS, then nothing is needed, you can use anything if your information system does not fall under ISPD.
Moreover, if I am not mistaken, the customer has the right to organize his PKI infrastructure and designate legal significance with internal documents, but this will only work between participants who have "agreed" on the significance of such EDS. But this again, only if you do not apply for ISPD and possibly some other systems.

If you are going to issue your EDS, you need a license. If you will use a ready-made licensed product for user authentication, a license is NOT required.

Yes, there are activities (profit making) associated with cryptography. (If you were developing software while being on the customer's staff - another question).
This falls under PP-313 in separate articles and the FSB will have the appropriate requirements for your developers and for the organization itself. Plus, this falls under the PKZ-2005 - I also recommend reading it carefully.
Now the development of cryptography is very strictly controlled by the FSB.
(PS FSO has nothing to do with this control in your case)

Actually, it's a big question why a license is not needed. A license is needed for any activity in the field of cryptography, including cryptographic information protection.
By encrypting anything, including by third-party means, you fall under the corresponding type of activity.
GOVERNMENT OF THE RUSSIAN FEDERATION
RESOLUTION
dated April 16, 2012 N 313
base.consultant.ru/cons/cgi/online.cgi?req=doc;bas...
3. This Regulation does not apply to activities using:
c) goods containing encryption (cryptographic) means, having either an authentication function that includes all aspects of access control, where there is no encryption of files or texts, with the exception of encryption, which is directly related to the protection of passwords, personal identification numbers or similar data for protection from unauthorized access, or having an electronic signature;
d) encryption (cryptographic) tools that are components of software operating systems, the cryptographic capabilities of which cannot be changed by users, which are designed to be installed by the user on their own without further significant support from the supplier and technical documentation (description of cryptographic transformation algorithms, interaction protocols, description of interfaces, etc. .e) for which it is available;
As you can see, paragraph c) is written, as always, in the style of "zaderishchenko's leg over the fence." Thus, if we are talking only about an electronic signature, then you can read "This Regulation does not apply to activities using goods that have an electronic signature"
Similarly, item d) sounds rather strange. That is, for good, apparently, it is not needed, but what will happen if they really want to attract and the court will interpret these points in its own way. Oh ....
If you close your eyes to the strange wording of these points, then you can say that, indeed, a license is not needed.

In addition, you are subject to paragraphs 7 and 8 of this regulation if you yourself produce an information system.
7. Production (replication) of encryption (cryptographic) means.
8. Production of information systems protected using encryption (cryptographic) means.
Therefore, if everything is strict, then you need to get a license. Please note that at least 2 people with experience.
In reality, we, for example, developed without a license. If you do not formalize anywhere that this system is cryptographically protected and the EDS is not put up in order to use it in court, then the FSB will not recognize your system and you will not be involved, respectively.

In our country, without a license, you can only sell seeds, and then you will need to collect a bunch of permits. Therefore, if you are developing not an ISPD, not a system for processing information that is a component of the state. secret, then use whatever you like. If you delve into these by-laws, then the most malicious violator is the website of public services.