Sure, but say the implementation lets you try 5 codes in that 10 minutes with a 30 minute lockout. An attacker could trigger Account Recovery, blindly try 5 six-digit codes immediately, and have a 0.0005% chance getting into your account.

They could script this to run over a long period of time targeting 1 account, or they could target many accounts at once, and would probably have success.

This is my biggest gripe with email auth or any kind of security code via sms/mms. I pray for the day I can fully move to a passwordless setup and break free the mess of email addresses spaghetti and phone numbers.

It’s probably easier to just have an exception log when someone(s) have 100 bad password attempts in a day or whatever.

Feel free to implement something that sends a UUID, and deal with the complaints instead.

I've implemented otp codes / magic links many times now. They absolutely always have a timeout. Say 30 minutes.