24afad3921
Unlocking OTP requires 3 consecutive successful authentications. As we require 6 digits per OTP auth, each auth attempt without access to the secret has a 1 in 10**6 chance of succeeding. Therefore, unlocking OTP only has a 1 in 10**18 chance of succeeding without access to the secret. Any failure resets the success counter, and imposes a 15 minute delay before another attempt. So there is a limit of 96 OTP unlock attempt failures per day per account. The specs don't show it, but there is a 90 second delay between OTP unlock attempts. This is to prevent the same code working for multiple auth attempts, accounting for drift in both directions.
604 B
604 B