I am building an OTP Service using an Azure Functions backend.
It'll be 2 APIs, one to create an OTP and store it in an azure storage / cosmos DB, which will call an outside API to send the OTP via SMS/Email. Once the user enters the received code, it'll call the 2nd API which will verify it against the DB/Storage.
My question is, this will serve a public facing website which will provide sensitive data to users that are not authenticated otherwise. Is it a safe / secure way to provide user data?