What is the primary threat model against static codes used for multi-factor authentication?

Static codes, known as one-time passwords (OTPs), are commonly used as the second factor in MFA. Normally, static codes are kept in a secure location; however, if not properly secured or exposed, they could be stolen. To avoid attacks against multifactor authentication systems, back-off algorithms and other techniques should be implemented to detect and prevent brute-force attempts. It's worth noting that collisions occur with hashing algorithms, not with static multifactor codes. Additionally, clock mismatch issues may occur for time-based one-time password (TOTP) codes.