We - and I'm sure every other vendor - limit OTP tries.
The guidelines for authentication are very well-defined by NIST 800-63B. For example:
> In all cases, the authentication SHALL be considered invalid if not completed within 10 minutes.
https://pages.nist.gov/800-63-3/sp800-63b.html#5132-out-of-b...
Depending on the exact type of OTP, NIST may have different guidelines.