Reference material linked from the blog, including threat models, registers, and similar artifacts.
The full threat model behind the concurrency series: deciding what to defend against in a one-time password service, and what to let go.