jchambers
commented
7 years ago Do you mean "how do we validate that the password provided by a user is correct?" You should know the private key and the expected counter value (for HOTP) or time (for TOTP). Generate a password with those parameters (for TOTP, you might check a few times on either side of the expected time to account for clock drift) and see if the user's input matches any of the generated passwords.
How to validate the generated OTP ?