welcome to the privacyIDEA community. I am looking forward to you getting a helpful member in the community.
How does it come, that you think that this might be a bug?
privacyIDEA is around since 2014. It is based on a software that started in 2010. The mentioned plugin started in roughly short after 2010.
People working on this project started to deal with 2FA on a professional basis in 2005.
So could you imagine that they know what they are doing and that this is no bug?
Could it be that there might be the slightes chance of a misconfiguration?
Unfortunately we can not know, because we do not know anything about your setup.