The code itself is generated from a secret key that is shared between both the device (phone?) and web site. If your phone scanned a QR code during 2FA set up (which is what Google did for me) that code was transferred to your phone.
The login code generator takes the secret key from the QR code, and the current time in multiples of 30 seconds, and generates a code from that. As long as the web site and your phone’s clocks are synchronized, you’re good.
Latest Answers