Unlocking OTP requires 3 consecutive successful authentications.
As we require 6 digits per OTP auth, each auth attempt without
access to the secret has a 1 in 10**6 chance of succeeding.
Therefore, unlocking OTP only has a 1 in 10**18 chance of succeeding
without access to the secret. Any failure resets the success counter,
and imposes a 15 minute delay before another attempt. So there is
a limit of 96 OTP unlock attempt failures per day per account.
The specs don't show it, but there is a 90 second delay between
OTP unlock attempts. This is to prevent the same code working for
multiple auth attempts, accounting for drift in both directions.
24afad3921