URL encoding solves part of this.

  >Example.com/Verify/5W9GF

If it fails, prompt for OTP on the fallback /Verify/ or /code/ page.

Local convenience cookie for authenticating device and permi-cookie for requesting device.

Permanent cookies should be accompanied with a 4 digit numeric PIN between any critical functions unless the session is new.