With the isAvailable() method, the challenges can tell Kirby if the challenge can be used to authenticate the current user. If false is returned, the next challenge is tried. This is useful for challenges that have additional requirements, e.g. a TOTP challenge needs a prior registration, an SMS challenge needs the mobile number etc.
This affects your plugin if you return a generated code from the create() method. Kirby will automatically check the timeout when verifying the entered code (even a valid code won't be accepted if it was entered after the timeout).
If your challenge doesn't generate and return a code but the code instead gets generated by the user themselves (e.g. via TOTP or with a hardware token), the code timeout does not have an effect. However you can use the option auth.challenge.timeout for your own validation if applicable.