Is this code collecting user password?

No, it means that the password is stored in SESSION.

So yes, it is remembered for some time and it’s not the best idea.

The more important thing is what is it used for and how is it processed.

It looks like it stores the password, so it can delay login process – it sends SMS, checks One-Time Password and only then performs normal WP password check, I guess.

But to be sure, you should check if that’s the only thing the stored password is used for.

tech