I have a one time password system implemented for my website using RFC 4226. This password is sent via SMS to a mobile device. The user can only receive the password on their mobile device, and the password expires after 15 minutes.
Users also have the standard alpha-numeric "master password" that is typically used. I have implemented a 3 failure lockout workflow. This lockout lasts for 15 minutes.
My question is from a security standpoint is it acceptable to only lockout the "master password"? Should I allow the user around the lockout policy if they use the one time password feature? Am I opening any kind of security holes?
It's not exactly an answer to your question, but when building systems like this you have to keep in mind that usability trumps security every time the two butt heads. The more arduous you make your security policy on end-users, the more they'll be motivated to come up with insecure workarounds to get their jobs done.
Schneier said it better than I can summarize here though, I'd suggest reading up on his stuff there.