What's worse is if you can get rudimentary access to the target. If you can force a deauth (usually by just DOSing the domain), you can force them through the flow again. But as the domain is DOSed, you can do authentication at the same time from a non-DOSed route. Thus they authenticate the attacker instead of themselves.

In my experience, tools don't see a difference between a 409/disconnect. They just see "error, need to reauth" (Docker, cough)