Either with a counter or with Rails's rate limiting.

It should be configurable too.

If somebody uses up their attempts, they should be advised to request a new code.

Default to, say, 5. That should allow even a distracted typist to make several rounds of typos, while stopping brute force guessing.