What’s the optimal length for a 2FA code?

Yes and no. They use the app as the 2fa, and store a secret there. The code is to stop someone just idley clicking accept when someone else tries to 2fa. Believe it or not, pressing accept rather than 'I didn't request 2fa, ohshit' seems to be a thing people do.