In order to make my question more specific, I'd like to explain my task.
I'm trying to implement a component/service that's responsible for creating OTPs (namely, time-based ones).
Note: It doesn't really matter if a TOTP is sent via SMS or to user's email address.
For example, if user have forgotten their password and want to recover it, my system must verify this transaction and then allow them to change it.
Also, I'm going to create transaction types (probably, it will be an enum). This mechanism will help to distinguish one TOTP from another. It would be a security issue if I let user change their password using a TOTP which was created to change their email address for example.
The question is, should I allow each user to have multiple TOTPs for different transaction types?
For example, if user's requested a TOTP to change their password, should I allow them to request another one to change their email address (right after the first request, so now the user have two valid TOTPs pending to be used)?
I see no problem in allowing users to have multiple tokens that are valid at the same time for different actions. As long as each token is restricted to authorising the action they are intended for and the tokens time out accordingly if they are not used.