one time password – Security of email OTP authentication

I’m building my own authentication and deciding on the signup/login flow. I’m would like some security feedback on this type of flow:

  1. User submits email address.
  2. 6 character alphanumeric one-time-code is generated and sent to the provided email. OTP is saved in database along with the email and an expiration (5 min).
  3. User enters code and is logged in. User is created if does not exist.

Is this bad security-wise? Am I missing something? I’m thinking the OTP has an expiration of 5 minutes and maximum 3 failed attempts before revoked. Is 6 characters enough?

Auth0 seems to have this as well: