Two factor authentication: expiry of sent text message
I have been asked to research expiry times of text messages sent to a user that contain a login code.
In this journey a user will identify themselves on a website and then ask for a text message to be sent to their phone which contains a temporary pass code. They will enter this passcode into the website and be logged in.
My question: how long should this text code remain valid before it expires?
5 min? 20 min? any guidance?