I use the user's hashed password generated by Bcript.hash(password, 10) as totp secret. The thing is totp.check() isn't guaranteed to return true even if the token is right. Is that Bcrypt hashed secret the reason?