The code just needs to be random, and it needs to be associated with and only with the one particular session that is attempting to log in.
The code should be stored with an expiration date-time alongside the session, regardless of whether that session is a "traditional" long-lived session or a "login session" that only lives long enough to produces an auth token (like a JWT). Just don't store it or any derivation of it on the client, as that would defeat the purpose. :D