Cit. @hiraeth in this topic on this forum.
From the users' viewpoint, PODS is indeed—in your wording—a username/password system, since both hosted users and owners do access it via username and password, though not so do authorized applications. Usernames and corresponding (hashed) passwords are stored where they belong—in the one and the only one appropriate PODS instance. There is no central server by design there.
The aforementioned dedicated built-in authentication mechanism on principle could additionally be involved in accessing all data stored in a PODS instance to make sure that all users' data (user's WebID profiles) get authorized access. However, the implementation of this—insofar as apparent—currently is undocumented and at least testing the installation of Node Solid Server (NSS) 4.2.0-rc.0 as a PODS instance fails locally yet, cf. Fig.0b presented on an intermittently with intermediate interruptions, as a general rule between 20:00 and 07:00 GMT/UTC o'clock, and temporarily operated web server. Additionally, there is a currently unresolved symptom, which hedges about the scope of the aforementioned built-in authentication mechanism.
Take note of the fact that references (links) to the temporarily operated web server still may shift over time.