Without getting too far into the details, the idea is that there are some mathematical calculations that are very easy to do in one direction but very difficult to do in the other. An analogy would be mixing paint together; it is easy to take two colors and mix to find the new color, but impractical to separate the two paints once they are mixed.

The authenticator app uses those calculations to generate single use keys from two things: a secret token and the current time. Because the server also knows those things they both can easily calculate what the key should be at the present time and verify that the user knows the secret token. However if someone is listening to the exchange of the calculated key they cannot reverse the calculations to figure out the secret token, and because it involves the current time there is no way to just remember the answer and use it again later.