Close. The biscuit doesn't carry launch codes. those are kept with the football. The biscuit is used to confirm that the president was the one issuing the commands. Think of it as a fancy RSA token.
Also, while sec of defense is in the loop, his sole purpose is to verify that it is the president who issued the launch orders. He has no veto authority. He is bound to follow the orders of the president, no matter how much he disagrees with them. His only option would be to refuse to cooperate because he says the order is illegal. But that would be hard in the case of launching a nuclear strike since it is legal for the president to do that. The president could then go to another commander to approve the strikes - the system is designed to work if the joint chiefs are dead.
In reality, once the brat issues the orders, they will be followed. The system is designed to be rapid and durable.