All your data are encrypted using your master password whereas your master password itself is encrypted with a random generated key and stored in application’s private storage. In a non-rooted device, application’s private storage is well protected by Android security model, however in rooted device any root app can access private data. That’s the reason, Authenticator Plus enforces PIN lock in rooted device and your master password is encrypted using your PIN for additional security.
What is Hardware backed keys?
Most of the latest devices now have a secure hardware storage which stores encryption keys which can be used by apps, Providing more security by making the keys unavailable for extraction. That is, once keys are in a hardware-backed even the OS kernel cannot access this key.
How Authenticator Plus uses Hardware backed keys?
Your master password will encrypted by Hardware backed keys and stored in application storage, so even if root apps can access your encrypted master password they cannot decrypt it without hardware backed keys(which they cannot access).