It's when you are not quick enough to write in the two-factor code for example, their CSRF token will expire.
I admit I think it a bit harsh to set it to timeout this quick, but hey whatever works.