I'm working on a Google TOTP extension for Play-Silhouette, see the corresponding Play-Silhouette-Seed project here and was wondering whether the scratch or recovery codes are order-sensitive. By order-sensitive I mean that they must be used once and in the order given, sort of like the PIN/PUK/PUK2 cell phone unlock codes.
Another related question ... this is sort of obvious but better to be sure. Are scratch codes stored in a similar fashion as passwords? encrypted & salted too? I think it would make sense to treat them as passwords ... or?
The "scratch" codes are not a part of TOTP at all, it is just a mechanism to be used in case the TOTP profile is lost. Therefore, there are no standards nor recommendations for these