When SMS confirmation codes first went mainstream, they were four digits long.
Then, five digits long.
Today I had to enter a seven-digit SMS code to confirm my login with UnitedHealthcare.
This security technique is hitting a useability wall. Going beyond eight digits will make people not use it for two-factor authentication.