One-time passwords must be at least 6 characters long.
One-time passwords (OTP) are secrets used during operations that need added
security or as part of user enrollment processes.
Despite their short lifespan, they should have a minimum length of 6 characters
as a protection against brute force attacks.
NIST 800-63B 18.104.22.168 Memorized Secret Verifiers
Memorized secrets that are randomly chosen by the CSP (e.g., at enrollment)
or by the verifier (e.g., when a user requests a new PIN)
SHALL be at least 6 characters in length
and SHALL be generated using an approved random bit generator.