In order to test the CSRF vulnerability you need to:
Note: This only works if you are logged in to WordPress on the domain you're submitting.
After you have clicked on the Disable button, you can view the effects by loading / refreshing the Two Factor Authentication plugin page.
Note II: This only works for vulnerable versions of the plugin (all versions below 1.3.13)
Note III: Be sure to enable the plugin again!!