Authenticating without a database
An XML file holding user credentials is a database. The definition of a database isn't limited to MySQL (or whatever it is you had in mind).
How users are authenticated and where exactly their credentials are stored are two entirely separate concerns. A bcrypt hash is a bcrypt hash, regardless of whether it's stored in a plaintext file, a MySQL table or a MongoDB document.
Of course different types of database systems work differently and required different ways of updating and loading data, but this has nothing to do with user authentication specifically. Those are general issues of data storage.
authenticating without a database
I'm going to interpret this as meaning
Is it possible to design a challenge-response system which lets a principal prove that they are who they say they are without using an amount of storage that scales with the number of principals? I.e. using storage that is O(1) w.r.t. the number of principals.
One way to authenticate a principal is to have them present something only they or you could know. If someone knows it, and that someone isn't you, then it's them :)
Cryptographic signing allows you to generate strings (tokens) that
- you can give it to someone
- you can forget it
- they can give it back and you can verify that it really was given by you
If you trust the authenticating principal not to leak secrets that gate access to their account you can give them a signed output, and use signature checking to authenticate them.
If you can't trust them not to leak secrets, then you can't trust them not to leak a password that you've hashed into your database anyway, so the possibility of naive users leaking a secret that can be replayed is not a reason to prefer passwords over signing.
Simple signature checking doesn't provide for fine-grained revocation but that's an authorization problem, not strictly an authentication problem.
Authenticating that way is fine, but the real trick is doing your credential management and updates. How do users change their passwords? Are you rewriting your source to do that?
I've certainly seen authentication credentials stored in XML, JSON, and CSV files. You need to take steps like acquiring a lock when modifying the file, handling crashes, etc, which are normally taken care of with a database.