Why use one-time codes for two-factor authentication backups?
Compared with something like SMS or email OTPs, I don't think there's as strong a case to make these one-time-use, but the same arguments still apply.
Let's assume that I have the codes printed out on paper. Then during the recovery process, the recovery code passes through all of the following nodes:
- Plaintext: My computer's keyboard, OS, browser
- ENCRYPTED BY HTTPS: browser --> server's TLS endpoint (for ex. CloudFront)
- Plaintext: TLS endpoint --> networking equipment --> application server
- Plaintext: Application server <--> db <--> other internal compenents.
The point is that even with HTTPS, there are a lot of nodes that will have your code in memory (or maybe in logs) as part of the recovery process. If the code is multi-use, then you have to trust that every single one of those nodes is honest and not infected with malware. If the code is one-time-use, then once it's been used, you don't care if it ends up in logs or whatever.
It's not a rock-solid argument, but it's the best I can come up with.