diff --git a/src/Key/TOTPKey.php b/src/Key/TOTPKey.php
index 2288c394..b35df877 100644
--- a/src/Key/TOTPKey.php
+++ b/src/Key/TOTPKey.php
@@ -121,7 +121,7 @@ class TOTPKey implements IAuthKey {
 	}
 
 	/**
-	 * @return array
+	 * @return string[]
 	 */
 	public function getScratchTokens() {
 		return $this->scratchTokens;
@@ -181,33 +181,28 @@ class TOTPKey implements IAuthKey {
 
 		// See if the user is using a scratch token
 		if ( !$retval ) {
-			$length = count( $this->scratchTokens );
-			// Detect condition where all scratch tokens have been used
-			if ( $length === 1 && $this->scratchTokens[0] === "" ) {
-				$retval = false;
-			} else {
-				for ( $i = 0; $i < $length; $i++ ) {
-					if ( $token === $this->scratchTokens[$i] ) {
-						// If there is a scratch token, remove it from the scratch token list
-						array_splice( $this->scratchTokens, $i, 1 );
+			foreach ( $this->scratchTokens as $i => $scratchToken ) {
+				if ( $token === $scratchToken ) {
+					// If we used a scratch token, remove it from the scratch token list.
+					// This is saved below via OATHUserRepository::persist, TOTP::getDataFromUser.
+					array_splice( $this->scratchTokens, $i, 1 );
 
-						$logger->info( 'OATHAuth user {user} used a scratch token from {clientip}', [
-							'user' => $user->getAccount(),
-							'clientip' => $clientIP,
-						] );
+					$logger->info( 'OATHAuth user {user} used a scratch token from {clientip}', [
+						'user' => $user->getAccount(),
+						'clientip' => $clientIP,
+					] );
 
-						$auth = MediaWikiServices::getInstance()->getService( 'OATHAuth' );
-						$module = $auth->getModuleByKey( 'totp' );
+					$auth = MediaWikiServices::getInstance()->getService( 'OATHAuth' );
+					$module = $auth->getModuleByKey( 'totp' );
 
-						/** @var OATHUserRepository $userRepo */
-						$userRepo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
-						$user->addKey( $this );
-						$user->setModule( $module );
-						$userRepo->persist( $user, $clientIP );
-						// Only return true if we removed it from the database
-						$retval = self::SCRATCH_TOKEN;
-						break;
-					}
+					/** @var OATHUserRepository $userRepo */
+					$userRepo = MediaWikiServices::getInstance()->getService( 'OATHUserRepository' );
+					$user->addKey( $this );
+					$user->setModule( $module );
+					$userRepo->persist( $user, $clientIP );
+					// Only return true if we removed it from the database
+					$retval = self::SCRATCH_TOKEN;
+					break;
 				}
 			}
 		}