I do understand the need for OTPs (One Time Password). It’s a very easy way to confirm the identity of a user using a different medium. And the key here is the word confirm, because it’s not an actual password, just a simple way to confirm an existing authentication.

If it’s not the primary way to confirm it, then why are most services using so long OTPs? Especially since they come to an email address or SMS text, it’s not necessarily very easy to remember six or eight random digits.

Four digits would be more than enough.

It’s very unlikely that an attacker cannot try 1000 different combinations of the one-time-password.

That’s why it’s called a one time password.

Even credit card PINs are usually 4 digits long, because it’s not like someone can try all the combinations and finally guess it. It’s just 3 attempts and that’s it… Your card is blocked.

So if you’re in any way involved in developing such a system, please discuss the need for lengthy OTPs with your teammates, manager or security officer.

Four digits are more than enough.