To authenticate a user against a contact record in SF I think you'll need to store a securely hashed password to a custom field against the user and validate in the APEX API. Then you'll likely need a few more fields to handle password resets etc. But all very doable. We nearly went this way with the client - then they decided to build the client login area in SF Communities. I can't say I was too impressed with what I saw in Communities but that's the way they're going.