The second factor is called a "PIN" in the RSA documentation, but the details can be configured by the administrator in a particular deployment. The administrator can set an allowed length range (with minimum and maximum between 4 and 8), and can choose to allow alphanumeric "PIN"s.

RSA's recommendation is for alphanumeric PINs of at least 6 characters.

Note also that a small number of tries with an incorrect PIN but correct tokencode will lock the account as "token stolen".

I think you're wrong. My work uses RSA SecurID and my password is longer and more complex than a 4-digit number.

It is. Where I work, I have to use account name, 4 digit PIN, and the current token value to log in to systems protected by the RSA token.