You should be using secure random numbers (os.urandom()), not random numbers. The problem with what you're currently doing is that if an attacker generates enough of the sequence they can guess future members also (which could be a different user).

Also your code has a bug: What if generate_random_string returns the same result twice? You don't check for that.

A 20 digit long code with a 26 digit set likely IS secure enough. But why not just add 0-9 for funzies? It won't break compatibility, and expands the scope quite nicely.