OTP Bruteforce Calculator
One Time Password systems became really popular recently, but to have a robust 2FA you need to limit attempts: OTPs are 6-digit codes which are easy to remember and type and just as easy to bruteforce. It will take 3 days maximum. Do not use CAPTCHA to stop the attacker - it will make the attack more expensive ($1 per 1,000 captchas) but it will remain feasible. Simply lock the account after 10 failed attempts and ask the user to change his password.
Clock skew (how many OTPs are valid at once).
Number of combinations, for 6 digits it's just a million.
Requests per second the attacker can make.