Authentication profiles are governing direct server -> device connection credentials. Authentication profile specifies a few pieces of configuration:
When the connection is attempted, first the key-based authentication is done (if the SSH Key is defined in the Auth profile). If SSH Key is not defined, password-authentication is done.
Once you have any Auth Profile defined, you can assign it to a particular device in it's Device Details. A device can have only one Auth Profile assigned.
The secrets (passwords, keys) are stored in the database. Only root and DWARFG_SHORT users are allowed DB access but you need to pay attention to any DB dumps (DB backups) stored in the filesystem if you have such backups configured. Anybody with access to the DB dump can access the secrets data. To alleviate the potential situation a little bit, the secrets are not stored as plaintext but in encoded form. While the encoding is making reading the plaintext form directly out of the database (or a DB dump) impossible, a determined and able attacker will be able to decode the data and thus access your device's passwords or SSH keys should you allow the attacker to access the data. You cannot neglect protecting your server and any potential DB dumps/backups you are making. Pay close attention to your server/DB backup configuration and storage of and access to the backup data itself.