I imagine it's because for 2FA logins we pass the username/password inputted into a hidden field so you can submit the 2FA and credentials at once. We used to show the fields with the entered details but the UI seems nicer this way.
You would need to raise this with the vendor as a false positive.
