Is 6 digits really enough for an OTP code?

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!



Feb 14, 2023
Someone noted up-thread that a website ought to not prevent endless guessing for a user, and that's true. But given the changing code every 30 seconds, and the typical site response turn-around, brute forcing OTP's is not practical. :)
Ya, I think we did arrive at the agreement that brute forcing OTPs is not practical, but that the reason that it's not practical is because of the response turnaround time for each guess and other security measures likely to be in place such as lockouts after a certain number of guesses and use in conjunction with a long, strong password.

Hypothetically, if a bad actor were truly able to make 1000 guesses per second, brute forcing a 6 digit OTP code would be very practical even if the correct OTP code also changed 1000 times per second, but as noted in this lengthy discussion, this would never be possible or allowed in the real world. :)