diff --git a/OATHAuthKey.php b/OATHAuthKey.php
index 0dd1fffa..ad6c0fe0 100644
--- a/OATHAuthKey.php
+++ b/OATHAuthKey.php
@@ -156,4 +156,16 @@ class OATHAuthKey {
 		}
 		$this->scratchTokens = $scratchTokens;
 	}
+
+	/**
+	 * Check if a token is one of the scratch tokens for this two factor key.
+	 *
+	 * @param string $token Token to verify
+	 *
+	 * @return bool true if this is a scratch token.
+	 */
+	public function isScratchToken( $token ) {
+		$token = preg_replace( '/\s+/', '', $token );
+		return in_array( $token, $this->scratchTokens, true );
+	}
 }
diff --git a/i18n/en.json b/i18n/en.json
index 04f951bb..8d2be136 100644
--- a/i18n/en.json
+++ b/i18n/en.json
@@ -15,6 +15,7 @@
 	"oathauth-token": "Token",
 	"oathauth-disable": "Disable two-factor authentication",
 	"oathauth-validatedoath": "Validated two-factor credentials. Two-factor authentication will now be enforced.",
+	"oathauth-noscratchforvalidation": "You cannot use a scratch code to confirm two-factor authentication. Scratch codes are for backup and incidental use only. Please use a verification code from your code generator.",
 	"oathauth-failedtovalidateoath": "Failed to validate two-factor credentials",
 	"oathauth-disabledoath": "Disabled two-factor authentication.",
 	"oathauth-prefs-label": "Two-factor authentication:",
diff --git a/i18n/qqq.json b/i18n/qqq.json
index 8246b342..b96d94c6 100644
--- a/i18n/qqq.json
+++ b/i18n/qqq.json
@@ -22,6 +22,7 @@
 	"oathauth-token": "HTMLForm label, found on [[Special:OATH]], when verifying OATH.\n{{Identical|Token}}",
 	"oathauth-disable": "Page title on Special:OATH while disabling OATH.\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]",
 	"oathauth-validatedoath": "Plain text found on Special:OATH after a token has been validated.\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]",
+	"oathauth-noscratchforvalidation": "Plain text found on Special:OATH if the user used the incorrect type of token while enabling OATH.\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]",
 	"oathauth-failedtovalidateoath": "Plain text found on Special:OATH when validation of a token has failed.\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]",
 	"oathauth-disabledoath": "Plain text found on Special:OATH when disabling OATH has been successful.\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]",
 	"oathauth-prefs-label": "Plain text label seen on Special:Preferences\n\nSee [https://en.wikipedia.org/wiki/Two_factor_authentication two factor authentication]\n{{Identical|Two factor authentication}}",
diff --git a/special/SpecialOATHEnable.php b/special/SpecialOATHEnable.php
index 44d887d4..fac981fe 100644
--- a/special/SpecialOATHEnable.php
+++ b/special/SpecialOATHEnable.php
@@ -157,6 +157,10 @@ class SpecialOATHEnable extends FormSpecialPage {
 		/** @var OATHAuthKey $key */
 		$key = $this->getRequest()->getSessionData( 'oathauth_key' );
 
+		if ( $key->isScratchToken( $formData['token'] ) ) {
+			// A scratch token is not allowed for enrollement
+			return [ 'oathauth-noscratchforvalidation' ];
+		}
 		if ( !$key->verifyToken( $formData['token'], $this->OATHUser ) ) {
 			return [ 'oathauth-failedtovalidateoath' ];
 		}