---
title: OTPs Must Have 20-bit Entropy Minimum
impact: MEDIUM
impactDescription: prevents OTP brute-forcing
tags: otp, entropy, authentication, 2fa, security, csharp
---

## OTPs Must Have 20-bit Entropy Minimum

Use CSPRNG for OTP generation.

**Incorrect (Random):**

```csharp
var otp = new Random().Next(1000, 9999);
```

**Correct (CSPRNG):**

```csharp
// 6 digits
int otp = RandomNumberGenerator.GetInt32(0, 1000000);
string otpString = otp.ToString("D6");
```

**Tools:** Roslyn Analyzers
