kerrnel, do you know anything about 2FA on CrOS?

This is an example of a physically local attack, and as such it isn't considered in Chrome's threat model. See https://www.chromium.org/Home/chromium-security/security-faq#TOC-Why-aren-t-physically-local-attacks-in-Chrome-s-threat-model- for more information.

That said, this may still be a bug. Does anyone on the cc list have an idea of who a good owner might be? I'm at a bit of a loss here.

It's not a physically local attack. It's just confusion about what the second factor is protecting. Specifically, the second factor is used to authenticate the user's session on that device to the remote server. That's why the second factor is required to initially log into the device, but not for later logins (so long as the user's profile hasn't been removed). 

Yes, but on a managed chrome book, their is no way to remove your account. So any managed Chrome books that you login to, all have 2F (almost) permanently bypassable.

It's not bypassable, because the second factor was never required to access the device in the first place. As I explained in the previous comment, the second factor is used to authenticate to the remote server, not the device.

Put another way, if you have the user's password and physical access to the device, then you already have everything you need to decrypt the user's stateful partition. So, requiring a second factor to log back in would just be adding theater.