Agree with everything, I would add:
Even if you rotate the code on every attempt the probability of randomly guessing a 6-digit numeric code is
1 / 1,000,000
It not taking account timing attacks that may make it even faster to crack a code if implementation is weak.
