Two-step login (username, then email or SMS)

I have completed my first site’s login logic where the user information is stored in a table.

Now I wish to enhance the security even further by not only requiring username/password, but also a second login step where a user must choose between receiving a randomly generated code (e.g. 4-digit number) either by email or by SMS.

I have a model that handles the initial login by extending ActiveRecord and implementing IdentityInterface to read and compare form input data with the database. I assume I need to make another model for storing the randomly generated codes with links to users in the DB.

How should I proceed in best practice to implement this two-step login? All advice is appreciated :)