Today I was fighting against a TOTP library in PHP, since it works for 6 and 8 digits, but for 10 it was giving inconsistent values, due to a conversion to a 32 bits int.
It felt amazing when, after a few hours, I found what was causing the error…
And found that many libraries have the same problem.
Now I get why TOTP is limited to 8 chars. It’s a 2FA but not a Password. Perhaps another algorithm will be needed to support 16 digits.