Yes, that would be right. You could think of submitting the order as signing-up for an "order account" — as well as recording the order details, obviously — and the "order number" would be related to the rest of the order directly in the database structure. Somebody may then enter an "order number" in a form for "checking the status of an order", and if the "order number" exists, and matches with an order in your database, you could then think of that as a (very insecure) login.
It's entirely possible, whether or not it's a good idea depends a lot of what information and options you wish to keep and make available to the people using it. A headless chicken could probably brute-force a single 5 character string validation with success, especially if it's numeric.