Why? You just need a random number.

This!

Send them a random number. If you really need it time-based then store the expiry time along with the code you sent them.

Anytime you check the code you see if $current_time is greater than the $expiry_time.

totp is good in theory but not ideal for sending via email. Users might miss the email, or it gets delayed, then they want to resend the email and end up with two codes or more. Which one to use then? and you might want bruteforce protection so you introduce a rate limit, which can lock users out in those scenarios.

I would not use a TOTP but a stateless HMAC token in this case. I was only evoking TOTP because the original comment mentioned a 6-digit code (which is not a proper way to reset a password).