1

I'm working on a Google TOTP extension for Play-Silhouette, see the corresponding Play-Silhouette-Seed project here and was wondering whether the scratch or recovery codes are order-sensitive. By order-sensitive I mean that they must be used once and in the order given, sort of like the PIN/PUK/PUK2 cell phone unlock codes.

Another related question ... this is sort of obvious but better to be sure. Are scratch codes stored in a similar fashion as passwords? encrypted & salted too? I think it would make sense to treat them as passwords ... or?

SkyWalker
  • 13,729
  • 18
  • 91
  • 187

1 Answers1

1

The "scratch" codes are not a part of TOTP at all, it is just a mechanism to be used in case the TOTP profile is lost. Therefore, there are no standards nor recommendations for these

Emin
  • 573
  • 3
  • 13