Found your blog post about this. Just wondering, how do you check the 6 digit code is valid on the server side?

I mention this in the blog entry:

More specifically the server will actually compare submitted tokens to all tokens generated for a window of time (e.g. a couple of minutes) to account for the time it takes for you to type the token and send it to the server.

Essentially you repeat the same process on the server.