Good news --- yes it's possible!
Bad news --- you have a lot of work to do ;)
As an advice, it's better if you keep your credential provider as simple as possible, and all work of user authentication via
QR code, graphical password and Kinect motion password
will put in another app. So that credential provider will pass entered credentials to that app, and will receive back a result of authentication. The app will do the most hard work. This app should be a windows service, because it's always running regarding of are there any user sessions or not. Communication between app and credential provider can be done for example, by named pipes, or any other ipc mechanism.
For other questions:
Credential provider by itself is a COM.
To communicate with another apps, they aren't have to be a COM.
You can any app from credential provider as far as you have sufficient rights.