yep! PAM is "Pluggable Authentication Module" which sits between applications and the auth method, so you can put anything there. LDAP and ActiveDirectory are fairly common ones
Not exactly. You can create custom authentication methods and prompts, but it's architected differently. (I think Local Security Authority (LSA) and Credential Providers are the keywords to search for details)