I totally understand your concern regarding the time frame in which the OTPs are valid and after that time frame they are treated as same as any other wrong OTP.
This attack that I tried out was on a website where they didn't have that security measure in the first place. This attack worked for me for the very same reason, but still with burp-suite professional edition you can carry out brute force attacks with high success rate.