This capacitor plugin is missing an important security option which should allow to invalidate password when a new biometric is added or removed. This option is available in https://github.com/niklasmerz/cordova-plugin-fingerprint-aio#optional-parameters-2 with the name invalidateOnEnrollment.

This is actually an issue because on Android the encryption key (used to encrypt/decrypt) username and password can be retrived without being biometrically authenticated, this means that you don't technically need to call verifyIdentity before getting/setting/deleting credentials. (although I highly recommend it)

See my ticket for more information: #80

I'll be submitting a pr soon to address this (as a breaking change) to set the credentials to require auth and be invalided on biometric enrollment/removal.