# Storing OTPs

CFA permanently stores your provided OTPs alongside the request, there is no real **technical** reason for this we could easily wipe them after the request has been obtained and at some point we might. While CFA is still in preview we keep it around for debugging purposes. To explain how this doesn't make your OTP secret less secure I'd like to refer you to the original [OTP RFC](https://tools.ietf.org/html/rfc4226#section-6).

> Assuming an adversary is able to observe numerous protocol exchanges and collect sequences of successful authentication values. This adversary, trying to build a function F to generate HOTP values based on his observations, will not have a significant advantage over a random guess.

Basically, you can have as many examples of OTPs for a given secret as you want and it won't make it any easier for an attacker to guess a valid OTP.


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.continuousauth.dev/security/storing-otps.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.