Does the system slow down requests if too many are made in a short window?
Never use common patterns. If you can manually set your own 6-digit code, choose something truly random or, better yet, use an authenticator app (TOTP) that changes every 30 seconds.
5 Password Cracking Techniques Used in Cyber Attacks - Proofpoint