It is a logic flaw that lead to bypass ,

I think when the triager saw the "token" word marked it as NA without reading the report carefully,

I told him : the token is leaked in the response of the login

,And I report this bug as 2FA bypass not ATO so we assume that the attacker has **credentials** of the victim.

and Make a request to ensure they will take a look again.