diff --git a/lib/active_model/one_time_password.rb b/lib/active_model/one_time_password.rb
index cd0f6b8..11fa555 100644
--- a/lib/active_model/one_time_password.rb
+++ b/lib/active_model/one_time_password.rb
@@ -152,7 +152,7 @@ def backup_codes_enabled?
       def authenticate_backup_code(code)
         backup_codes_column_name = self.class.otp_backup_codes_column_name
         backup_codes = public_send(backup_codes_column_name)
-        return false unless backup_codes.include?(code)
+        return false unless backup_codes.present? && backup_codes.include?(code)
 
         if self.class.otp_one_time_backup_codes
           backup_codes.delete(code)