We are setting up Multifactor authentication for a Single Sign On project. Anytime a new device is detected, a PIN is sent to their email or sms (user chooses). How long do you suggest this PIN be valid till? It is set to 5mins right now. Is that enough time?