Ya, I think we did arrive at the agreement that brute forcing OTPs is not practical, but that the reason that it's not practical is because of the response turnaround time for each guess and other security measures likely to be in place such as lockouts after a certain number of guesses and use in conjunction with a long, strong password.Someone noted up-thread that a website ought to not prevent endless guessing for a user, and that's true. But given the changing code every 30 seconds, and the typical site response turn-around, brute forcing OTP's is not practical.
Hypothetically, if a bad actor were truly able to make 1000 guesses per second, brute forcing a 6 digit OTP code would be very practical even if the correct OTP code also changed 1000 times per second, but as noted in this lengthy discussion, this would never be possible or allowed in the real world.
