It’s easier/more complicated than that. Use 6 digit codes, tied to a specific reset session, with only 3 attempts allowed per-session, and sessions lasting only 5 minutes.