I'm developing a new web page that is public facing. When the user hits the web page, they are prompted to enter their phone# and email id and click submit. An OTP is generated by the server and sent via sms to the phone# and another OTP is sent to the email id. Each OTP record in the database is associated with an otp id and the otp number(for lack of a better word) The user is next prompted to enter both OTPs(the otp numbers) and click the validate button.
I don't want to send the phone#, emailid and otp number entered by the user on the same POST request(not using GET due to security reasons) for validation since that would not be very secure. Hence I was considering sending the otp id(saved as a hidden field on the form) & otp number on the POST request for validation. Does anybody see any security related issues with this?