---
title: Ensure Strong OTP Entropy
impact: HIGH
impactDescription: prevents OTP guessing attacks
tags: security, mfa, otp, entropy
---

## Ensure Strong OTP Entropy

When using One-Time Passwords (OTP), ensure they are generated using a secure random source and have sufficient length (at least 6 digits).

**Incorrect (not secure):**

```ruby
otp = rand(9999) # Only 4 digits, predictable rand
```

**Correct (SecureRandom + 6 digits):**

```ruby
otp = SecureRandom.random_number(1_000_000).to_s.rjust(6, '0')
```

**Tools:** ROTP gem, Brakeman
---