It uses your phone’s GPS clock and public encryption key(s). Every 30-60 seconds it encrypts the time using this key and displays the result on your phone screen.

The servers that use it have a matching private key. They decrypt what you type and if it is the correct time, they let you in.

Without getting too far into the details, the idea is that there are some mathematical calculations that are very easy to do in one direction but very difficult to do in the other. An analogy would be mixing paint together; it is easy to take two colors and mix to find the new color, but impractical to separate the two paints once they are mixed.

The authenticator app uses those calculations to generate single use keys from two things: a secret token and the current time. Because the server also knows those things they both can easily calculate what the key should be at the present time and verify that the user knows the secret token. However if someone is listening to the exchange of the calculated key they cannot reverse the calculations to figure out the secret token, and because it involves the current time there is no way to just remember the answer and use it again later.

Your phone and the application pre-share a secret, typically via QR code scanner.

Both your phone and the application can take that secret, do some math with it and the current time, and create a new time-sensitive secret.

If you enter the right code at the right time, the app knows you must have the original secret. If you enter the same code a few minutes later, it doesn’t trust that you have the original secret.

One important thing is that the way the math is done, you can’t find out the original secret, even if you have millions of codes.