User requests an OTP (login, password reset).

Server generates a random code (e.g., 6 digits) and stores a hashed version + expiry (e.g., 5 minutes).

Server sends the code via SMS/email/push using a trusted gateway.

User enters the code. Server verifies hash + expiry + attempt count.

If valid, allow the action; otherwise reject and apply rate limits.