It really really needs encryption to password to server it's purpose, here is good tutorial on how it should look like
https://dev.to/ranilch/securing-data-with-biometricprompt-35mo

IMHO, it's a must - to encrypt password on save, and we get credentials without biometric prompt, it should be encrypted password.
Then when we perform biometrics, it should provide decrypted password to app.

This way - this plugin will be complete.

I didn't do it that way because I don't want to limit the use of the plugin to only be used for credentials. I talk about it here #35. However, if there's a way to do it without limiting the plugin to retrieving credentials feel free to submit a PR. I'll definitely give it more thought in the future.